Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Introduction toComputational Logic
Lecture Notes SS 2008
July 14, 2008
Gert Smolka and Chad E. Brown
Department of Computer Science
Saarland University
Copyright © 2008 by Gert Smolka, All Rights Reserved
Contents
1 Introduction 1
2 Structure of Mathematical Statements 3
2.1 Functions and Lambda Notation . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Boolean Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Operator Precedence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5 Locally Nameless Term Representation . . . . . . . . . . . . . . . . . . 7
2.6 Formulas, Identities, and Overloading . . . . . . . . . . . . . . . . . . . 8
2.7 Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.8 Sets as Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.9 Choice Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.10 Some Logical Laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.11 Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3 Terms and Types 15
3.1 Untyped Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Contexts and Subterms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3 Substitution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.4 Alpha Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.5 Confluence and Termination . . . . . . . . . . . . . . . . . . . . . . . . 20
3.6 Beta and Eta Reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.7 Typed Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.8 Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4 Interpretation and Specification 29
4.1 Interpretations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.2 Semantic Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.3 Formulas and Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.4 Specification of the Natural Numbers . . . . . . . . . . . . . . . . . . . 33
5 Formal Proofs 37
5.1 Abstract Proof Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.2 Deducible Sequents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
iii
Contents
5.3 Derived Rules for Turnstile and Implication . . . . . . . . . . . . . . . 41
5.4 Derived Rules for Identities . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.5 BCA and Tautologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
5.6 Natural Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
5.7 Predicate Logic and Completeness . . . . . . . . . . . . . . . . . . . . . 49
5.8 Natural Language Proofs and Natural Deduction Proofs . . . . . . . . 49
5.9 More Derivations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5.10 Simplifying Lam and Sub . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
5.11 Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
5.12 Bonus: Equational Deduction . . . . . . . . . . . . . . . . . . . . . . . . 56
6 Tableau Proofs 61
6.1 An Example: Peirce’s Law . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.2 Refutations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
6.3 Tableaux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
6.4 Refutation Rules for Propositional Logic . . . . . . . . . . . . . . . . . 68
6.5 Quantifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
6.6 Termination and Completeness with Restrictions . . . . . . . . . . . 84
6.7 Cantor’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.7.1 Russell’s Law/Turing’s Law . . . . . . . . . . . . . . . . . . . . . 97
6.7.2 More about the Lambda rule . . . . . . . . . . . . . . . . . . . . 97
6.8 Equality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.9 Excluded Middle as a Rule . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.10 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
6.10.1 Expressing Universal Quantification in terms of Existential . 100
6.10.2 Expressing Equality using Higher-Order Quantifiers . . . . . . 101
6.10.3 Solving Easy Equations . . . . . . . . . . . . . . . . . . . . . . . . 102
6.10.4 Expressing Conjunction with → and ⊥ . . . . . . . . . . . . . . 103
6.10.5 Expressing Conjunction with Higher-Order Quantification . . 104
6.10.6 Kaminski Equation . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.10.7 Choice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
7 A Taste of Set Theory 109
8 Decision Trees 117
8.1 Boolean Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
8.2 Decision Trees and Prime Trees . . . . . . . . . . . . . . . . . . . . . . . 120
8.3 Existence of Prime Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
8.4 Example: Diet Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
8.5 Uniqueness of Prime Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 123
8.6 Properties of Prime Trees . . . . . . . . . . . . . . . . . . . . . . . . . . 124
iv 2008/7/14
Contents
8.7 Prime Tree Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
8.8 BDDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
8.9 Polynomial Runtime through Memorization . . . . . . . . . . . . . . . 132
8.10 Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
9 Modal Logic 133
9.1 Modal Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
9.2 A Knowledge Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
9.3 Kripke Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
9.4 Some Deducible Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
9.5 Modal Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
9.5.1 Interderivability . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
9.5.2 Theories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
9.5.3 Pure First-Order Logic . . . . . . . . . . . . . . . . . . . . . . . . 143
9.5.4 Defined Constants . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
9.5.5 The Main Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
9.6 Modal Refutability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
9.7 A Tableau System for Modal Formulas . . . . . . . . . . . . . . . . . . 146
9.7.1 Falsification Soundness . . . . . . . . . . . . . . . . . . . . . . . 147
9.7.2 Refutation Soundness . . . . . . . . . . . . . . . . . . . . . . . . 148
9.7.3 Verification Soundness . . . . . . . . . . . . . . . . . . . . . . . . 149
9.8 Termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9.8.1 Termination for ∀-Free Clauses . . . . . . . . . . . . . . . . . . 151
9.8.2 Termination with Rp♦ . . . . . . . . . . . . . . . . . . . . . . . . . 152
9.9 Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Tautologies 157
Bibliography 158
2008/7/14 v
Contents
vi 2008/7/14
1 Introduction
1
1 Introduction
2 2008/7/14
2 Structure of Mathematical Statements
We outline a language for expressing mathematical statements. It employs func-
tions as it main means of expression. Of particular importance are higher-order
functions taking functions as arguments. The language has much in common
with functional programming languages such as ML and Haskell. It is formal
in the sense that it can be realized on a computer. We distinguish between the
notational, syntactic and semantic level of the language.
2.1 Functions and Lambda Notation
Everyone knows that a function is something that takes an argument and yields
a result. Nowadays, functions are defined as sets of pairs. If (x,y) ∈ f , then the
application of the function f to the argument x yields the result y . Here is the
precise definition.
Let X and Y be sets. A function X → Y is a set f ⊆ X × Y such that
1. ∀x ∈ X ∃y ∈ Y : (x,y) ∈ f2. (x,y) ∈ f ∧ (x,y′) ∈ f �⇒ y = y′We use X → Y to denote the set of all functions X → Y . If f ∈ X → Y and x ∈ X,
we write fx for the unique y such that (x,y) ∈ f . We write fx+5 for (fx)+5.
The canonical means for describing functions is the lambda notation devel-
oped by the American logician Alonzo Church [9]. Here is an example:
λx∈Z. x2
This notation describes the function Z → Z that squares its argument (i.e.,
yields x2 for x). The following equation holds:
(λx∈Z. x2) = { (x, x2) | x ∈ Z }
It shows the analogy between the lambda notation and the more common set
notation.
According to our definition, functions take a single argument. To represent
operations with more than one argument (i.e., addition of two numbers), one
3
2 Structure of Mathematical Statements
often uses functions that are applied to tuples (x1, . . . , xn) that contain the ar-
guments x1, . . . , xn for the operation. We call such functions cartesian and speak
of the cartesian representation of an operation. The cartesian function repre-
senting addition of integers has the type Z×Z→ Z. It takes a pair (x,y) as single
argument and returns the number x +y .
Functions that return functions as results are called cascaded. Lambda no-
tation makes it easy to describe cascaded functions. As example, consider the
definition
plus := λx∈Z. λy∈Z. x +y
which binds the name plus to a function of type Z → (Z → Z). When we apply
plus to an argument a, we obtain a function Z → Z. When we apply this function
to an argument b, we get a+ b as result. With symbols:
(plusa)b = ((λx∈Z. λy∈Z. x +y)a)b = (λy∈Z. a+y)b = a+ b
We say that plus is a cascaded representation of the addition operation for in-
tegers. Cascaded representations are often called Curried representations, after
the logician Haskell Curry. The idea goes back to Frege [14]. It was fully de-
veloped in a paper by Moses Schönfinkel [35] on the primitives of mathematical
language. We prefer the cascaded representation over the cartesian representa-
tion since the cascaded representation doesn’t require tuples. Following common
practice, we omit parentheses as follows:
fxy � (fx)y
X → Y → Z � X → (Y → Z)
Using this convenience, we can write plus 3 7 = 10 and plus ∈ Z → Z→ Z.
2.2 Boolean Operations
We use the numbers 0 and 1 as Boolean values, where 0 may be thought of as
“false” and 1 as “true”. We define
B := {0,1}
As in programming languages, we adopt the convention that expressions like
3 ≤ x yield a Boolean value. This explains the following equations:
(3 < 7) = 1
(7 ≤ 3) = 0
(3 = 7) = 0
4 2008/7/14
2.3 Operator Precedence
The following equations define well-known Boolean operations:
¬x = 1− x Negation
(x ∧y) = min{x,y} Conjunction
(x ∨y) = max{x,y} Disjunction
(x → y) = (¬x ∨ y) Implication
(x ≡ y) = (x = y) Equivalence
We represent Boolean operations as functions. Negation is a function B → B and
the binary operations are functions B → B → B. We use the symbols ¬, ∧, ∨, →,
≡ as names for these functions.
Exercise 2.2.1 Consider the values
0,1 ∈ B¬ ∈ B → B
∧,∨,→,≡ ∈ B → B → B
With 0 and → one can express 1 as follows: 1 = (0 → 0).
a) Express ¬, ∧, ∨, and ≡ with 0 and →.
b) Express 0, ∧, and → with 1, ¬, and ∨.
2.3 Operator Precedence
An operator is a symbol for a binary operation. There are established conven-
tions that make it possible to write operator applications without parentheses.
For example:
3·x +y � (3 · x)+y
The symbols + and · are said to be infix operators, and the operator · is said to
take its arguments before the operator +. We assume the following precedence
hierarchy for some commonly used operators:
≡→∨∧¬
= < ≤ > ≥+ −·
2008/7/14 5
2 Structure of Mathematical Statements
Symbols appearing lower in the hierarchy take their arguments before symbols
appearing higher in the hierarchy. Here are examples of notations that omit
parentheses according to the precedence hierarchy:
x ∨ x ∧y ≡ x � (x ∨ (x ∧y)) ≡ x¬¬x = y ≡ y = x � ¬(¬(x = y)) ≡ (y = x)
We write s ≠ t and s �≡ t as abbreviations for ¬(s = t) and ¬(s ≡ t).
2.4 Terms
We distinguish between notation and syntax. For instance, the notations
x ·y + z and (x · y) + z are different but both describe the the same syntac-
tic object. We call the syntactic objects described by notations terms. Terms can
be represented as trees. For instance, the notation x ∧y describes the term
••
∧ x
y
and the notation x ∧y ∨ z describes the term
••
∨ ••
∧ x
y
z
The inner nodes • of the trees represent function applications. The leaves of the
tree are marked with names. Given values for the names appearing in a term,
one can evaluate the term by performing the applications. Of course, the values
involved must have the right types. The value appearing at the left-hand side of
an application must be a function that is defined on the value appearing at the
right-hand side of the application. Binary applications suffice since operations
taking more than one argument are seen as cascaded functions.
The λ-notation decribes special terms called λ-abstractions or λ-terms. For
instance, the notation λx∈N. x + y decribes the following λ-term:
λx∈N•
•+ x
y
6 2008/7/14
2.5 Locally Nameless Term Representation
The name x acts as argument name. The argument name of a λ-term makes it
possible to refer in the body of the λ-term to the argument of the function the
λ-term decribes.
We distinguish between three levels: the notational level, the syntactic level,
and the semantic level. For instance, λx∈N. 2·x is first of all a notation. This
notation describes a certain λ-term, which is a syntactic object. And the λ-term
decribes a function, which is a semantic object. Terms abstract from the details
of notations. For this reason, there are usually many different notations for the
same term. Operator precedence is an issue that belongs to the notational level.
Since terms are tree-like objects, there is no need for operator precedence at the
syntactic level.
A few words about how we say things. When we say the term λx∈N. 2·x,
we mean the term described by the notation λx∈N. 2·x. And when we say the
function λx∈N. 2·x, we mean the function described by the term described by
the notation λx∈N. 2·x.
2.5 Locally Nameless Term Representation
λ-terms introduce argument names, which are also called local names. It is
common to speak of argument variables or local variables. Argument names
make it possible to refer in the body of a λ-term to the argument of the function
the λ-term decribes. As an alternative to argument names one can use numeric
argument references, which yield a locally nameless term representation. The
locally nameless representation of the term λx∈N. x +y looks as follows:
λN
••
+ 〈0〉y
The idea behind the locally nameless representation becomes clearer, if we look
at the tree representing the term described by the notation λx∈X. λy∈Y . fyx:
λX
λY
••
f 〈0〉〈1〉
An argument reference 〈n〉 refers to a λ-node on the unique path to the root.
The number n says how many λ-nodes are to be skipped before the right λ-node
2008/7/14 7
2 Structure of Mathematical Statements
is reached. For instance, 〈0〉 refers to the first λ-node encountered on the path
to the root, and 〈1〉 to the second.
The locally nameless term representation is useful since it represents the
binding stucture of a term more explicitly than the name-based term represen-
tation. Note that we consider the terms λx∈X.x and λy∈X.y to be different
although they have the same locally nameless representation.
Numeric argument references are common in machine-oriented languages.
For terms, they were invented by the Dutch logician Nicolaas de Bruijn [12]. For
this reason, numeric argument references in terms are often called de Bruijn
indices.
Exercise 2.5.1 Draw the locally nameless representations of the following terms:
a) λx∈X. (λy∈X. fxy)xb) λx∈B. λy∈B. ¬x ∨yc) λx∈X. f(λy∈Y . gyx)xy
2.6 Formulas, Identities, and Overloading
A formula is a term whose type is B. Here are examples of formulas: 3 < 7,
2 + 3 > 6, and x < 3 ∧ y > 5. We will represent mathematical statements as
formulas.
For every set X, the identity for X is the following function:
(=X) := λx∈X. λy∈X. x=y
Note that (=X) ∈ X → X → B. Also note that =B and≡ are different names for the
same function. Identities are important since they make it possible to represent
equations as terms. For instance, the equation x + 0 = x may be represented as
the term x + 0 =Z x.
As it comes to notation, we will be sloppy and mostly write = rather than
the proper name =X . This means that we leave it to the reader to determine the
type of the identitity. We speak of the disambiguation of overloaded symbols.
Typical examples of overloaded symbols are +, −, <, and =. If we write x+2 = y ,
without further information it is not clear how to disambiguate + and =. One
possibility would be the use of +Z and =Z.Exercise 2.6.1 Draw the tree representations of the following formulas. Disam-
biguate the equality symbol =. Recall the specification of the operator prece-
dences in §2.3.
a) x = 0∨ x ∧y ≡ xb) ¬¬x = y ≡ y = x ∧ x
8 2008/7/14
2.7 Quantifiers
2.7 Quantifiers
Mathematical statements often involve quantification. For instance,
∀x ∈ Z ∃y ∈ Z. x +y = 0
Church [10] realized that the quantifiers ∀ and ∃ can be represented as func-
tions, and that a quantification can be represented as the application of a quan-
tifier to a λ-term. We may say that Church did for the quantifiers what Boole [7]
did for the Boolean operations, that is, explain them as functions.
Let X be a set. We define the quantifiers ∀X and ∃X as follows:
∀X ∈ (X → B)→ B universal quantifier
∀Xf = (f = (λx∈X.1))
∃X ∈ (X → B)→ B existential quantifier
∃Xf = (f ≠ (λx∈X.0))
The statement ∃y ∈ Z. x +y = 0 can now be represented as follows:
∃Z (λy∈Z. x +y = 0)
The usual notation for quantification can be obtained at the notational level:
∀x∈X.t := ∀X (λx∈X.t)∃x∈X.t := ∃X (λx∈X.t)
Frege and Russel understood quantifiers as properties of properties. If we un-
derstand under a property on X a function X → B, then a property on properties
on X has the type (X → B)→ B. And in fact, this is the type of the quantifiers ∀Xand ∃X . Note the quantifiers are higher-order functions (i.e., functions taking
functions as arguments).
Exercise 2.7.1 Draw the locally nameless tree representation of the term
(∀x∈X. fx ∧ gx) ≡ ∀f ∧∀g.
2.8 Sets as Functions
Let X be a set. The subsets of X can be expressed as functions X → B. We
will represent a subset A ⊆ X as the function λx∈X. x∈A, which yields 1 if its
argument is an element of A. This function is called the characteristic function
2008/7/14 9
2 Structure of Mathematical Statements
of A with respect to X. The following examples illustrate how set operations
can be expressed with characteristic functions:
x ∈ A � Ax
A∩ B � λx∈X. Ax ∧ BxA∪ B � λx∈X. Ax ∨ Bx
Given the representation of sets as functions, there is no need that a functional
language provides special primitives for sets. Note that subsets of X as well as
properties on X are expressed as functions X → B.
Exercise 2.8.1 Let X be a set. We use P(X) as abbreviation for X → B. Express
the following set operations with the logical operations ¬, ∧, ∨, and ∀X . To
give you an idea what to do, here is how one would express set intersection
∩ ∈ P(X) → P(X) → P(X): ∩ = λf∈P(X). λg∈P(X). λx∈X. fx ∧ gx.
a) Union ∪ ∈ P(X) → P(X) → P(X)
b) Difference − ∈ P(X) → P(X) → P(X)
c) Subset ⊆ ∈ P(X) → P(X) → B
d) Disjointness ‖ ∈ P(X) → P(X) → B
e) Membership (∈) ∈ X → P(X) → B
2.9 Choice Functions
Sometimes one wants to define an object as the unique x such that a certain
property holds. This kind of definitions can be expressed with choice functions.
A choice function for a set X is a function (X → B) → X that yields for every
non-empty subset A of X an element of A. If a choice function for X is applied
to a singleton set {x}, there is no choice and it must return x. Let CZ be a choice
function for Z. Then
0 = CZ(λ∈Z. x + x = x)
since 0 is the unique integer such that x+x = x. Moreover, we can describe sub-
traction with addition and choice since x−y is the unique z such that x = y + z:
(−) = λx∈Z. λy∈Z. CZ(λz∈Z. x = y + z)
Exercise 2.9.1 How many choice functions are there for B?
Exercise 2.9.2 Describe the following values with a choice function CN for N, the
Boolean operations ¬, ∧, ∨, →, addition + ∈ N→ N→ N, and the identity =N.
10 2008/7/14
2.10 Some Logical Laws
a) f ∈ N→ N→ N such that fxy = x − y if x ≥ y .
b) The existential quantifier ∃ ∈ (N → B)→ B.
c) The less or equal test ≤ ∈ N→ N→ B.
d) max ∈ N→ N→ N such that max xy yields the maximum of x, y .
e) if ∈ B → N→ N→ N such that if bxy yields x if b = 1 and y otherwise.
2.10 Some Logical Laws
Laws are mathematical statements that are universally true. Let us start with the
de Morgan law for conjunction:
¬(x ∧y) ≡ ¬x ∨¬y
The law says that we can see a negated conjunction as a disjunction. Seen syntac-
tically, the law is a formula. It involves the names ¬, ∧, ≡, ∨ and x, y . The names
in the first group are called constants and the names x, y are called variables.
While the meaning of constants is fixed, the meaning of variables is not fixed.
When we say that a law holds or is valid, we mean that the respective formula
evaluates to 1 no matter how we choose the values of the variables. Of course,
every variable comes with a type (here B) and we can only choose values that are
elements of the type (here 0 and 1). By means of universal quantification, we can
express explicitly that the names x and y are variables:
∀x∈B ∀y∈B. ¬(x ∧ y) ≡ ¬x ∨¬y
Leibniz’ law says that two values x, y are equal if and only if y satisfies every
property x satisfies:
x=Xy ≡ ∀f∈X→B. fx → fy
At first view, Leibniz’ law is quite a surprise. Seen logically, it expresses a rather
obvious fact. If x = y , then the right-hand of the equivalence obviously eval-
uates to 1. If x ≠ y , we choose f = λz. z=x to see that the right-hand of the
equivalence evaluates to 0. Leibniz’ law tells us that a language that can express
implication and quantification over properties can also express identities.
Henkin’s law says that a language that can express identities and universal
quantification over functions X→X→B can also express conjunction:
x ∧ y ≡ ∀f∈X→X→B. fxy = f11
If x = y = 1, then the equivalence obviously holds. If not both x and y are 1,
we choose f = (∧) to see that the right-hand of the equivalence evaluates to 0.
2008/7/14 11
2 Structure of Mathematical Statements
The extensionality law for functions says that two functions are equal if they
agree on all arguments:
(∀x∈X. fx = gx) → f = g
The η-law for functions expresses a similar fact:
f = λx∈X. fx
Both laws hold since functions are sets of pairs. The α-law for functions looks
as follows:
(λx∈X. fx) = λy∈X. fy
It is a straightforward consequence of the η-law.
The de Morgan law for universal quantification says that a negated universal
quantification can be seen as an existential quantification:
¬(∀x∈X. s) ≡ ∃x∈X. ¬s
Seen logically, this law is very different from the previous laws since s is a vari-
able that ranges over formulas, that is, syntactic objects. We will avoid such
syntactic variables as much as we can. A regular formulation of de Morgan’s law
for universal quantification looks as follows:
¬(∀x∈X. fx) ≡ ∃x∈X. ¬fx
Here f is a variable that ranges over functions X → B.
Finally, we look at the β-law. The β-law is a syntactic law for functions. Here
are instances of the β-law:
(λx∈N.x + 2)5 = 5+ 2
(λx∈N.x + 2)(x +y) = (x +y)+ 2
The general form of the β-law is as follows:
(λx∈X. s)t = sxt
Both s and t are syntactic variables that range over terms. The notation sxt stands
fo the term that we obtain from s by replacing every free occurrence of the vari-
able x with the term t. The syntactic operation behind the notation sxt is called
substitution. As it turns out, substitution is not a straightforward operation. To
say more, we need the formal treatment of terms presented in the next chapter.
12 2008/7/14
2.11 Remarks
Exercise 2.10.1 (Boolean Formulas) Decide whether the following formulas are
valid for all values of the variables x,y, z ∈ B. In case a formula is not valid, find
values for the variables for which the formula does not hold.
a) 1→ x ≡ x
b) (x → y) → (¬y → ¬x) ≡ 1
c) x ∧ y ∨¬x ∧ z ≡ y ∨ z
Exercise 2.10.2 (Quantifiers and Identities) Given some logical operations, one
can express many other logical operations. This was demonstrated by Leibniz’
and Henkin’s law. Express the following:
a) ∀X with =X→B and 1.
b) ∃X with ∀X and ¬.
c) ∀X with ∃X and ¬.
d) =X→Y with ∀X and =Y .
e) =B with ≡.
f) =X with ∀X→B and →.
Exercise 2.10.3 (Henkin’s Reduction) In a paper [21] published in 1963, Leon
Henkin expressed the Boolean operations and the quantifiers with the identities.
a) Express 1 with =B→B.
b) Express 0 with 1 and =B→B.
c) Express ¬ with 0 and =B.
d) Express ∀X with 1 and =X→B.
e) Express ∧ with 1, =B, and ∀B→B→B.
f) Express ∧ with 1 and =(B→B→B)→B.
2.11 Remarks
The outlined logical language is mainly due to Alonzo Church [10]. It is asso-
ciated with logical systems known as simple type theory or simply-typed higher-
order logic. Church started with an untyped language [9] but technical difficulties
forced him to switch to a typed language [10]. Types originated with Bertrand
Russell [34]. A logical language with quantification was first studied by Gottlob
Frege [13].
One distinguishes between metalanguage and object language. The metalan-
guage is the language one uses to explain an object language. Our object lan-
guage has many features in common with the metalanguage we use to explain
it. Still, it is important to keep the two languages separate. For some constructs
2008/7/14 13
2 Structure of Mathematical Statements
that appear in both languages we use different notations. For instance, implica-
tion and equivalence are written as �⇒ and ⇐⇒ at the metalevel and as → and
≡ at the object level. Moreover, at the metalevel we write quantifications with a
colon (e.g., ∃x∈N : x < 5) while at the object level we write them with a dot (e.g.,
∃x∈N. x < 5).
In the theory of programming languages one calls concrete syntax what we
call notation and abstract syntax what we call syntax.
Sometimes one speaks of the intension and the extension of a notation. While
the intension refers to the syntactic object decribed by the notation, the exten-
sion refers to the semantic object described by the notation.
14 2008/7/14
3 Terms and Types
In this chapter we study syntax and ignore semantics. We first consider untyped
terms.
3.1 Untyped Terms
We start from a set Nam of names that is bijective to N. In principle, we could
choose Nam = N, but saying that Nam is bijective to N gives us more flexibility.
The set of terms Ter is obtained recursively from Nam:
x,y ∈ Nam � N names
s, t ∈ Ter ::= x | s t | λx.s terms
We understand the definition such that every term is exactly one of the following:
a name x, an application st, or a λ-term λx.s. Moreover, we assume Nam ⊆ Ter.
To be concrete, we represent a term as a pair (i, γ) where the variant number
i ∈ {1,2,3} says whether the term is a name (i = 1), an application (i = 2), or
a λ-term (i = 3). For names we have γ ∈ N, for applications γ ∈ Ter × Ter,
and for λ-abstractions γ ∈ Nam × Ter. Note that our definition implies that
(λx.x) ≠ λy.y if x ≠ y .
The locally nameless representation (LNR) of a term uses numeric argument
references instead of local names. For instance, the LNR of λfxy.fyzx looks
as follows:
λ
λ
λ
••
•〈2〉 〈0〉
z
〈1〉
An argument reference 〈n〉 refers to the n+1-th λ-node encountered on the path
to the root. Note that λx.x and λy.y have the same LNR:
15
3 Terms and Types
λ
〈0〉The size |s| of a term s is the number of nodes in its tree representation. The
formal definition is recursive and looks as follows:
|_| ∈ Ter → N
|x| = 1
|st| = 1+ |s| + |t||λx.s| = 1+ |s|
For instance, |λfxy.fyzx| = 10. The free names of a term are the names that
appear in the LNR of the term. The formal definition looks as follows:
N ∈ Ter → P(Nam)
Nx = {x}N (st) =N s ∪N t
N (λx.s) =N s − {x}
For instance, N (λfxy.fyzx) = {z} if we assume that z is different from
f , x, y . We say that x is free in s if x ∈ N s. A term s is closed if N s = �, and
open otherwise.
3.2 Contexts and Subterms
Informally, a context is a term with a hole. Formally, we define contexts as
follows:
C ::= [] | Cs | sC | λx.C
The instantiation C[t] of a context C with a term t yields the term that is ob-
tained from C by replacing the hole [] with t. For instance, if C = λxy.f[], then
C[gxy] = λxy.f(gxy). Formally, we define context instantiation recursively:
[][t] = t(Cs)[t] = (C[t])s(sC)[t] = s(C[t])
(λx.C)[t] = λx.C[t]
A term s is a subterm of a term t if there exists a context C such that t = C[s].We say that a term s contains a term t or that t occurs in s if t is a subterm of s.A term is called combinatorial if none of its subterms is a λ-term.
16 2008/7/14
3.3 Substitution
Exercise 3.2.1 Give all subterms of the term λx.fxx. For each subterm give a
corresponding context. Is there a subterm with more than one corresponding
context?
Exercise 3.2.2 Determine all pairs C , s such that C[s] = xxxx and s is a appli-
cation.
Exercise 3.2.3 We say that a name x occurs bound in a term s if s has a subterm
λx.t such that x is free in t. Give a term s such that x is free in s and also occurs
bound in s.
3.3 Substitution
A substitution is a function θ ∈ Nam → Ter. There is an operation S ∈(Nam → Ter) → Ter → Ter that applies a substitution to a term. If s is com-
binatorial, then Sθs is obtained from s by replacing every occurrence of a name
x in s with the term θx. This can be expressed with two equations:
Sθx = θxSθ(st) = (θs)(θt)
For instance, Sθ(fxy) = (λxy.x)yx if θf = (λxy.x), θx = y , θy = x.
The recursion equation for Sθ(λx.s) is not straightforward. It is clear that
the local name x must not be replaced in s. However, there is a second, more
servere complication known as capturing. Consider Sθ(λx.y) where x ≠ y and
θy = x. Then the y in λx.y must be replaced with x. If we do this naively, we
obtain λx.x, which means that the external x has been captured as local name.
To obtain the right semantic properties, substitution must be defined such that
capturing does not happen. This can be done by of renaming local names, also
known as α-renaming.
We say that capture-free substitution preserves the binding structure of a
term. The binding structure of a term is expressed best by its LNR. The substi-
tution operation S must be defined such that the LNR of the term Sθs can be
obtained by replacing every name x in the LNR of s with the LNR of θx. For
instance, if s = λx.yx and θy = x, we want the following:
λ
•y 〈0〉
� λ
•x 〈0〉
Consequently, Sθs cannot be the term λx.xx but must be some term λz.xz.
2008/7/14 17
3 Terms and Types
How should the substitution operation choose names if it has to rename local
names? Its best to first consider a simplified problem: How can we choose local
names for an LNR such that we obtain a term whose LNR is the given one. For
instance, consider the LNR
λ
••
x y
〈0〉
To obtain a term with this LNR, we can choose any local name that is different
from x and y . For instance, λz.xyz. If we choose x or y as local name, the local
name will capture a free name, which results in a different LNR.
Consider a term λx.s. Which local names can we use in place of x without
changing the LNR? If you think about it you will see that all names that are not
free in λx.s are ok. The names that are free in λx.s are not ok since using such
a name as argument name would capture the free occurrences of this name.
A choice function is a function ρ ∈ Nam → Pfin(Nam) → Nam such that
ρxN ∉ N for all x and N . Pfin(Nam) is the set of all finite subsets of Nam. A
choice function ρ is conservative if ρxN = x whenever x ∉ N . Given a choice
function ρ, the following recursion equations yield a substitution operation S:
Sθx = θxSθ(st) = (Sθs)(Sθt)
Sθ(λx.s) = λy. S(θ[x:=y])s where y = ρx(∪{N (θz) | z ∈N (λx.s) })
The notation θ[x:=y] describes the substitution that is like θ except that it
maps x to y . We call a substitution operation S conservative if it is obtained
with a conservative choice function.
Proposition 3.3.1 For every substitution operation S:
1. N (θs) = ∪{N (θx) | x ∈N s }2. (∀x ∈N s : θx = θ′x) �⇒ Sθs = Sθ′s coincidence
Proposition 3.3.2 For every conservative substitution operation S:
(∀x∈N s : θx = x) �⇒ Sθs = s.
We fix some conservative substitution operator S and define the notation
sxt := S (λy∈Nam. if y = x then t else y) s
Proposition 3.3.3
18 2008/7/14
3.4 Alpha Equivalence
1. (λx.s)xt = (λx.s)2. (λx.s)yt = (λx.syt ) if x ≠ y and x ∉N t
3. sxt = s if x ∉N s
Exercise 3.3.4 Apply the following substitutions.
a) ((λx.y)y)yxb) (λx.y)yfxyc) (λx.y)xfxy
Exercise 3.3.5 Let x ≠ y . Find C such that (C[x])xy ≠ C[y]. Hint: Exploit that
C[x] may capture x.
3.4 Alpha Equivalence
Two terms are α-equivalent if the have the same LNR. This doesn’t suffice for a
formal definition since the LNR of terms is not formally defined. It turns out that
there is a non-conservative substitution operator that provides for an elegant
formal definition of α-equivalence.
Let ρ0 be the choice function such that ρ0xN is the least name that is not in N(we exploit a bijection between Nam and N for the order). Moreover, let S0 be the
substitution operation obtained with ρ0. Finally, let ε be the identity substitution
such that εx = x for all names x. We define α-equivalence as follows:
s ∼α t :⇐⇒ S0εs = S0εt
Intuitively, this definition works since S0εs yields a variant of s where all local
names are chosen to be the least possible ones. Here are examples (x � 0, y � 1):
S0ε(λx.x) = λx.xS0ε(λy.y) = λx.x
S0ε(λyx.xy) = λxy.yx
A careful study of S0 with complete proofs of its basic properties can be found
in a paper by Allen Stoughton [36].
Proposition 3.4.1
1. S0ε(S0εs) = S0εs
2. S0εs ∼α s
Proposition 3.4.2 Let z be a name that is not free in λx.s or λy.t. Then λx.s ∼αλy.t ⇐⇒ sxz ∼α tyz .
2008/7/14 19
3 Terms and Types
Proposition 3.4.3 λx.s ∼α λy.t ⇐⇒ y ∉N (λx.s) ∧ t = sxy
Proposition 3.4.4 Alpha equivalence ∼α is an equivalence relation on Ter satis-
fying the following properties:
1. s ∼α t �⇒ C[s] ∼α C[t] compatibility
2. s ∼α t �⇒ Sθs ∼α Sθt stability
Since we will see several other relations on the set of terms that are compatible
and stable, we define these properties in a general way. A binary relation R on
the set of all terms is
• compatible if ∀(s, t) ∈ R ∀C : (C[s], C[t]) ∈ R• stable if ∀(s, t) ∈ R ∀θ : (Sθs,Sθt) ∈ R
Exercise 3.4.5 Which of the following terms are α-equivalent?
λxyz.xyz, λyxz.yxz, λzyx.zyx, λxyz.zyx, λyxz.zxy
Exercise 3.4.6 Determine S0εt for the following terms t. Assume x � 0, y � 1,
and z � 2.
a) λz.z
b) λyx.yx
c) λxy.yx
d) λxy.y
e) λzxy.xyz
f) λz.x
Exercise 3.4.7 Find counterexamples that falsify the following statements.
a) λx.s ∼α λy.t ⇐⇒ ∃z : sxz ∼α tyzb) λx.s ∼α λy.t ⇐⇒ sxy ∼α t
3.5 Confluence and Termination
We define some notions for binary relations that we need for α-equivalence and
other relations on terms. Read Chapter 2 of Baader and Nipkow [3] to learn more.
Let X be a non-empty set and → ⊆ X × X. We write x → y if and only
if (x,y) ∈ →. Moreover, we write x →∗ y if there exist x1, . . . , xn such that
x = x1 → ·· · → xn = y . We use →∗ to denote the corresponding reflexive and
transitive relation. We write x ↓ y and say that x and y are →-joinable if there
exists a z such that x →∗ z and y →∗ z. We use ↓ to denote the corresponding
20 2008/7/14
3.5 Confluence and Termination
relation. We say that x is →-normal if there is no y such that x → y . We say
that y is a →-normal form of x if x →∗ y and y is →-normal. We say that → is
confluent if for all x, y , z: x →∗ y ∧ x →∗ z �⇒ y ↓ z.
Proposition 3.5.1 If→ is confluent, then no x has more than one→-normal form.
Proposition 3.5.2 If → is confluent, then ↓ is the least equivalence relation ∼on X such that → ⊆ ∼.
Proposition 3.5.3 → is confluent if and only if ↓ is an equivalence relation.
We say that → terminates on x if there is no infinite chain x → x1 → x2 → ·· · .
We say that → is terminating if there is no x on which → doesn’t terminate.
Proposition 3.5.4 If→ terminates, every x has a→-normal form. If→ terminates
and is confluent, every x has a unique →-normal form.
We now return to α-equivalence of terms. The α-rule
λx.s → λy.sxy if y ∉N (λx.s) and y < x
replaces the local name of a λ-term with a smaller name. We define α-reduction
as the binary relation →α on Ter satisfying the following condition:
s →α t ⇐⇒ ∃C,x,u,y : s = C[λx.u] ∧ t = C[λy.uxy] ∧ y ∉N (λx.u)∧ y < x
Proposition 3.5.5 →α is confluent an terminating. Moreover, ↓α = ∼α.
Thus, two terms are α-equivalent if and only if they have the same α-normal
form (i.e., →α-normal form).
Hint for the exercises: Draw finite relations as graphs.
Exercise 3.5.6 Give finite relations → such that:
a) → is confluent but not terminating.
b) → is terminating but not confluent.
c) → is not confluent and not terminating.
d) → is confluent, does not terminate on x, and y is a →-normal form of x.
Exercise 3.5.7 Consider the relation → := { (x,y) ∈ N2 | 2 ≤ 2y ≤ x }.a) Is → terminating?
b) Is → confluent?
c) Give a →-normal form of 7.
d) Give all →-normal n ∈ N.
Exercise 3.5.8 A relation → is locally confluent if for all x, y , z: x → y ∧x → z �⇒ y ↓ z. Find a finite relation that is locally confluent but not confluent.
2008/7/14 21
3 Terms and Types
3.6 Beta and Eta Reduction
A β-redex is a term of the form (λx.s)t (i.e., an application whose left-hand side
is a λ-term). The β-rule
(λx.s)t → sxt
rewrites a β-redex (λx.s)t to the term sxy . We define β-reduction as the binary
relation →β on Ter satisfying the following condition:
s →β t ⇐⇒ ∃C,x,u, v : s = C[(λx.u)v] ∧ t = C[uxv]
A term is β-normal if it doesn’t contain a β-redex. We say that t is a β-normal
form of s if s →∗β t and t is β-normal. Here is an example:
(λxy.y)((λx.x)y)z →β (λxy.y)yz
→β (λy.y)z
→β z
Note that the term z is a β-normal form of (λxy.y)((λx.x)y)z. Since the term
(λxy.y)((λx.x)y)z contains two β-redexes, we can reduce it also as follows:
(λxy.y)((λx.x)y)z →β (λy.y)z →β z
Consider the term ω := λx.xx. We have ωω →β ωω. Hence ωω is a term that
has no β-normal form.
Proposition 3.6.1
1. s →β t �⇒ C[s] →β C[t] compatibility
2. s →β t �⇒ Sθs →β Sθt stability
3. s1 ∼α s2 ∧ s1 →β t1 �⇒ ∃t2 : s2 →β t2 ∧ t1 ∼α t2 α-compatibility
Two terms s1, s2 are β-joinable if there exist terms t1, t2 such that s1 →∗β t1,
s2 →∗β t2, and t1 ∼α t2.
Theorem 3.6.2 (Confluence) If s →∗β t1 and s →∗
β t2, then t1 and t2 are
β-joinable.
The Confluence Theorem was first shown in 1936 by Church and Rosser. The
proof is not straightforward. You find it in Barendregt [5].
Corollary 3.6.3 If a term has a β-normal form, then it is unique up to α-
equivalence.
22 2008/7/14
3.6 Beta and Eta Reduction
An η-redex is a term of the form λx.sx where x ∉N s. The η-rule
λx.sx → s if x ∉N s
rewrites an η-redex λx.sx to the term s. We define η-reduction as the binary
relation →η on Ter satisfying the following condition:
s →η t ⇐⇒ ∃C,x,u : s = C[λx.ux] ∧ t = C[u] ∧ x ∉Nu
A term is η-normal if it doesn’t contain an η-redex. We say that t is a η-normal
form of s if s →∗η t and t is η-normal. Here is an example:
λxy.fxy →η λx.fx →η f
Note that the term f is an η-normal form of λxy.fxy . Also note that λxy.fyxis η-normal.
Proposition 3.6.4 →η is terminating.
Proposition 3.6.5 If s →η t and s is β-normal, then t is β-normal.
The relation →βη := →β ∪ →η is called βη-reduction. βη-normal forms are
defined as one would expect. Confluence modulo α-equivalence also holds for
βη-reduction. Finally, we define λ-reduction: →λ := →α ∪→β ∪→η.
Theorem 3.6.6 (Confluence) →λ is confluent.
The equivalence relation ∼λ := ↓λ is called λ-equivalence or lambda equiva-
lence.
Proposition 3.6.7 →λ and ∼λ are compatible and stable relations.
Proposition 3.6.8 Lambda equivalence is the least relation R on the set of terms
such that R is symmetric, transitive and →β ∪→η ⊆ R.
Proof One direction is straightforward. For the other direction, let R be a rela-
tion with the required properties. Let s be a term. Then (s, s) ∈ R since λx.s →β sfor all x and R is symmetric and transitive. It remains to show →α ⊆ R. Let
y ∉ N (λx.s). Then λy.(λx.s)y →η λx.s and λy.(λx.s)y →β λx.sxy . Hence
(λx.s, λy.(λx.s)y) ∈ R since R is symmetric and transitive. �
Exercise 3.6.9 Give the β-normal forms of the following terms.
a) (λxy.fyx)ab
b) (λfxy.fyx)(λxy.yx)ab
2008/7/14 23
3 Terms and Types
c) (λx.xx)((λxy.y)((λxy.x)ab))
d) (λxy.y)((λx.xx)(λx.xx))a
e) (λxx.x)yz
Exercise 3.6.10 Give the βη-normal forms of the following terms.
a) λxy.fx
b) λxy.fy
c) λxy.fxy
Exercise 3.6.11 Determine all pairs C , s such that C[s] = λxyz.(λx.x)yxzand s is a β- or η-redex.
Exercise 3.6.12 Find terms as follows.
a) A term that has no β-normal form.
b) A term that has a β-normal form but is not terminating.
Exercise 3.6.13
a) Find a term that has more than one β-normal form.
b) Find a term s such that there infinitely many terms t such that s →∗β t.
c) Find terms s, t such that s →β t, s contains no η-redex, and t contains an
η-redex.
3.7 Typed Terms
Types are syntactic objects like terms. We define them as follows:
α,β ∈ Sor � N sorts
σ, τ ∈ Ty ::= α | σ τ types
Sorts are primitive types. We assume Sor ⊆ Ty. Types of the form στ are called
functional. Here are examples of functional types: αβ, (αβ)β, ((αβ)β)β. We
omit parentheses according to σ1σ2σ3 � σ1(σ2σ3). You can see a type as a
binary tree whose leaves are labeled with sorts. Typed terms are defined as
follows:
x,y ∈ Nam � N× Ty names
s, t ∈ Ter ::= x | s t | λx.s terms
The difference to untyped terms is that typed terms employ typed names. Every
name x comes with unique type τx. By definition there are infinitely many
names for every type. We define a typing relation (:) ⊆ Ter × Ty that relates
terms and types. The definition is recursive:
24 2008/7/14
3.7 Typed Terms
1. If x is a name, then x : τx.
2. If s : στ and t : σ , then st : τ .
3. If x : σ and s : τ , then λx.s : στ .
The definition of the typing relation can also be formulated with inference rules:
x : στx = σ
s : στ t : σ
st : τ
x : σ s : τ
λx.s : στ
A term s is well-typed if there exists a type σ such that s : σ . Terms that are not
well-typed are called ill-typed. A substitution θ is well-typed if θx : τx for all
names x.
For typed terms (not necessarily well-typed) the choice function ρxN for the
substitution operation must be restricted such that it returns a name that has
the same type as x. Moreover, α-reduction must replace the local name of a
λ-term with a name of the same type. All other definitions for untyped terms
carry through to typed terms without change.
Proposition 3.7.1
1. s : σ ∧ s : τ �⇒ σ = τ2. If s is well-typed, then every subterm of s is well-typed.
3. If θ is well-typed and s : σ , then θs : σ .
4. If s →λ t and s : σ , then t : σ .
In words, the proposition states the following:
• The type of a well-typed term is unique.
• Application of a well-typed substitution to a well-typed term preserves the
type of the term.
• Lambda reduction preserves the type of a term.
Consider the termω = λx.xx. This term is ill-typed. We prove this by contradic-
tion. Suppose ω is well-typed. Then, by the above proposition, the subterm xxis well-typed. Hence there is a type στ such that στ = σ . This is a contradiction
since the type σ is smaller than the functional type στ .
Theorem 3.7.2 (Termination) →λ terminates on well-typed terms.
The Termination Theorem was first shown in 1967 by Tait [37]. The proof is not
straightforward and can be found in [17].
Corollary 3.7.3 Every well-typed term has a unique λ-normal form and a
β-normal form that is unique up to α-equivalence.
2008/7/14 25
3 Terms and Types
Proof The existence of a normal form follows from the Termination Theorem.
The uniqueness follows with the Confluence Theorem. �
Corollary 3.7.4 Lambda equivalence of well-typed terms is decidable.
Proof Follows with the Confluence and the Termination Theorem. The decision
algorithm computes the λ-normal forms of the given terms and checks whether
they are equal. �
Exercise 3.7.5 For each of the following terms finds types for the names occur-
ring in the term such that the term becomes well-typed.
a) λxy.x
b) λf .fyx
c) λfgx.fx(gx)
Exercise 3.7.6 Find closed terms that have the following types.
a) αα
b) αβα
c) (αβ)(βγ)αγ
d) α(αβ)β
Exercise 3.7.7 Find terms s, t such that s →β t, s is ill-typed, and t is well-typed.
3.8 Remarks
We have defined terms and types as syntactic objects. We have stated many
propositions and two famous theorems. We have not given proofs. The proofs
are typically inductive. The proofs of the propositions are not difficult but re-
quire technical details and care. The proofs of the theorems are non-trivial.
The system based on untyped terms is known as untyped lambda calculus,
and the system based on typed terms is known as simply typed lambda calcu-
lus. Both systems originated with Church [9, 10]. Church’s final account of the
untyped lambda calculus can be found in [11]. Nowadays, the standard refer-
ence for the untyped lambda calculus is Barendregt [5]. A textbook introducing
the untyped and the typed lambda calculus is Hindley [22]. The lambda calcu-
lus is essential in the theory of programming languages. Pierce [31] contains a
programming languages oriented introduction to the lambda calculus. A more
advanced textbook is Mitchell [28].
One can formalize LNRs and work with LNRs rather than terms. The advan-
tage of LNRs is that the definition of substitution is straightforward and that α-
equivalence is not needed. As it comes to the semantic interpretation of terms,
26 2008/7/14
3.8 Remarks
the representation of local names is redundant. However, the LNR approach
has also drawbacks. The notions of subterm and context need to be revised. If
you look at the tree representation, its clear that we need to admit LNRs with
dangling argument references to account for the β-reduction of subterms that
occur below λ-nodes. What one ends up with is de Bruijn’s representation [12],
which was conceived for an implementation of terms. Currently, the adequate
formalization of terms is a hot research topic and there are several competing
approaches (e.g., [39, 2, 27]). Following Barendregt [5], most modern presenta-
tions of the lambda calculus sweep the problems under the carpet by saying that
α-equivalent terms are identified.
2008/7/14 27
3 Terms and Types
28 2008/7/14
4 Interpretation and Specification
In this chapter we define the semantics of well-typed terms and set up simple
type theory, the logic we will be working with. The highlight of this chapter is a
specification of the natural numbers in simple type theory.
We tacitly assume that all terms and substitutions are well-typed and that rela-
tions like ∼α, →β, and ∼λ are restricted to well-typed terms. Moreover, Ter will
denote from now on the set of all well-typed terms.
4.1 Interpretations
If we associate with every sort a non-empty set, every type describes a non-empty
set. We require that a functional type στ describes the set of all functions A → Bwhere A is the set described by σ and B is the set described by τ .
If we associate with every name x an element of the set described by the
type of x, every well-typed term s describes a value that is an element of the
set described by the type of s. The well-typedness condition for applications stensures that s describes a function that is defined for the value described by t.
The interpretation of types and terms is something you are familiar with
through years of mathematical training, maybe with the exception of λ-terms.
Since we have a formal account of terms and types, we can also formalize their
interpretation. We will do this in the following.
We assume that the sets Ty (all types) and Ter (all well-typed terms) are dis-
joint. We distinguish between interpretations and evaluations. An interpretation
is a function that assigns a set to every type and a value to every name. An evalu-
ation is a function that assigns a value to every term. Every interpretation yields
a unique evaluation.
For interpretations and evaluation we need a general notion of function. A
function f is a set of pairs such that for no pair (x,y) ∈ f there is a z ≠ ysuch that (x, z) ∈ f . The domain and the range of a function f are defined as
follows:
Dom f := {x | ∃y : (x,y) ∈ f }Ran f := {y | ∃x : (x,y) ∈ f }
An interpretation is a function I such that:
29
4 Interpretation and Specification
1. Dom I = Ty∪Nam
2. Iα is a non-empty set for all sorts α
3. I(στ) = {ϕ |ϕ function Iσ → Iτ } for all types σ , τ
4. Ix ∈ I(τx) for all names x
Proposition 4.1.1 (Coincidence) Two interpretations are equal if they agree on
all sorts and all names.
Given an interpretation I , a name x, and a value v ∈ I(τx), we use Ix,v to denote
the interpretation I[x:=v] (I[x:=v] is like I but maps x to v).
Proposition 4.1.2 (Evaluation) For every interpretation I there exists exactly one
function I such that:
1. Dom I = Ter
2. s : σ �⇒ Is ∈ Iσ for all terms s and all types σ
3. Ix = Ix for all names x
4. I(st) = (Is)(It) for all applications st
5. I(λx.s) = λv∈I(τx). Ix,v s for all terms λx.s
Given an interpretation I and a substitution θ, we use Iθ to denote the interpre-
tation satisfying the following equations:
Iθσ = Iσ for every type σ
Iθx = I(θx) for every name x
Lemma 4.1.3 (Substitution) I(Sθs) = Iθs.
The lemma says that substitution and interpretation interact smoothly. The
lemma is of great technical importance. If substitution was not defined capture-
free, the lemma would not hold.
The atoms of a term are all sorts and names the interpretation of the term
depends on. For instance, the atoms of λx.x are all sorts that occur in τx.
Formally, we define the atoms occurring in a type or term as follows:
Atomα = {α}Atom (στ) = Atomσ ∪Atomτ
Atom (x) = {x} ∪Atom (τx)
Atom (st) = Atom s ∪Atom t
Atom (λx.s) = Atom (τx)∪ (Atom s − {x})If an atom occurs in a term or type, we also say that the term or type contains
the atom or depends on the atom.
Proposition 4.1.4 (Coincidence) If I and I′ agree on Atom s, then Is = I′s.
30 2008/7/14
4.2 Semantic Equivalence
4.2 Semantic Equivalence
We define semantic equivalence of terms as follows:
s ≈ t :⇐⇒ (∃σ : s : σ ∧ t : σ) ∧ ∀I : Is = It
In words, two terms are semantically equivalent if they have the same type and
yield the same value for every interpretation. Semantically equivalent terms can-
not be distinguished through interpretations.
Proposition 4.2.1 (Soundness) s ∼λ t �⇒ s ≈ t
Theorem 4.2.2 (Completeness) s ≈ t �⇒ s ∼λ t
Together, soundness and completeness say that lambda equivalence (a syn-
tactic notion) and semantic equivalence (a semantic notion) coincide. Soundness
says that lambda reduction rewrites a term in such a way that its denotation does
not change, no matter how the interpretation is chosen. Completeness says that
lambda reduction is powerful enough to decide semantic equivalence of terms.
For the Soundness Proposition one has to show the soundness of β-reduction
(→β ⊆ ≈) and the soundness of η-reduction (→η ⊆ ≈). For the soundness of
β-reduction the Substitution Lemma 4.1.3 is essential. The Completeness Theo-
rem was first shown by Harvey Friedman [15] in 1975. A simpler proof by Gordon
Plotkin [32] uses Tait’s termination theorem.
4.3 Formulas and Models
We fix a sort B (read bool) and choose names for the logical operations (cf.
Chapter 2):
⊥,� : B
¬ : BB
∨,∧,→ : BBB
=σ : σσB for every type σ
∃σ ,∀σ : (σB)B for every type σ
Terms whose type is B are called formulas. Formulas of the form s =σ t are
called equations. If the context suffices for disambiguation, we omit the type
subscripts of =σ , ∃σ , and ∀σ . We write s ≠ t for ¬(s = t), ≡ for =B , and s �≡ tfor ¬(s ≡ t). The operator precedences stated in § 2.3 apply.
A logical interpretation is an interpretation that interprets B as B, ⊥ as 0, �as 1, and every name for a logical operation o as the operation o. In particular,
2008/7/14 31
4 Interpretation and Specification
� ≡ (λx.x) =BB λx.x⊥ ≡ (λx.x) =BB λx.�¬ = λx. x=⊥∀σ = λf . f=λx.�∃σ = λf . f≠λx.⊥∧ = λxy. ∀f . fxy ≡ f��∨ = λxy. ¬(¬x ∧¬y)→ = λxy. ¬x ∨y
Figure 4.1: Henkin Equations
we have I(=σ ) = λv1∈Iσ. λv2∈Iσ. (v1=v2) for every logical interpretation Iand every type σ .
An interpretation I satisfies a formula s if I is logical and Is = 1. A formula
is satisfiable if there is a logical interpretation that satisfies it, and valid if it
satisfied by every logical interpretation. A formula is unsatisfiable if it is not
satisfiable. An interpretation is a model of a formula if it satisfies the formula.
We write I � s if s is a formula and I satisfies s. We say that s holds in I if I � s.Figure 4.1 shows a set of valid equations, which we will refer to as Henkin
equations (cf. Exercise 2.10.3). The equations are stated with schemes, where
a scheme parameterized with a type σ describes an equation for every type σ .
The Henkin equations can be taken as definitions of the logical operations that
appear at the left.
Proposition 4.3.1 A formula s is valid if and only if ¬s is unsatisfiable.
The language given by well-typed terms, formulas and logical interpretations
is called simple type theory. It originated 1940 with Church [10]. Major con-
tributions came from Leon Henkin [20, 21]. Andrews [1] is the best availble
textbook that introduces simple type theory in Church-Henkin style. Simple
type theory provides the logical base for proof assistants like Isabelle [29] and
HOL [19]. Simple type theory is one prominent example of a higher-order logic,
but often higher-order logic or HOL are used as synonyms for simple type theory.
The decomposition of simple type theory into the simply typed lambda calculus
(interpretations) and the logic component (logical interpretations) introduced in
this section is not standard although obvious. The syntactic part of the (sim-
ply typed) lambda calculus has become the base of the theory of programming
languages [31, 28].
32 2008/7/14
4.4 Specification of the Natural Numbers
In the following we will mostly use simple type theory as the underlying
framework. To simplify our language we will refer to logical interpretations sim-
ply as interpretations.
4.4 Specification of the Natural Numbers
Can we specify the natural numbers in simple type theory? Yes, we can. To
see how, let’s first ask another question: What are the natural numbers? For
centuries, mathematicians have just assumed that the natural numbers exist and
where happy to study their properties. Nowadays, sets are taken as starting
point and hence we can define the natural numbers. Given sets, we have many
possibilities to construct the natural numbers. Maybe the most straightforward
possibility is to see the natural numbers as the sets
�, {�}, {{�}}, {{{�}}}, . . .
where � is taken as 0, {�} as 1, and so on. Based on this construction, one can
define addition, multiplication, and the order relation.
In simple type theory, we cannot mimic the set-theoretic construction of N.
However, a different, more abstract approach works that you may know from
abstract data types. We start with a sort N and two names O : N and S : NN .
Our goal is a formula nat such that every interpretation that interprets N as N,
O as 0, and S as λn∈N.n+1 satisfies nat. We call such interpretations canonical.
The function λn∈N.n+ 1 is known as successor function.
We need to require more of nat since the formula � satisfies what we have
said so far. What we need in addition is that for every formula s the formula
nat → s is valid if and only if s is satisfied by every canonical model of nat.Since O≠SO is satisfied by every canonical model but � → O≠SO is not valid, �doesn’t suffice for nat.
We cannot expect to find a formula nat whose models are exactly the canonical
models. The reason is that formulas cannot distinguish the many equivalent
constructions of the natural numbers. We call an interpretation quasi-canonical
if it is a canonical up to the fact that it uses a different construction of N.
So what is a construction of the natural numbers? We require that we are
given a set N , a value O ∈ N , and a function S ∈ N → N such that two conditions
are satisfied:
1. The values O, SO, S(SO), S(S(SO)), . . . are pairwise distinct.
2. N = {O, SO, S(SO), S(S(SO)), . . . }The second condition says that every x ∈ N can be obtained from O by apply-
ing S a certain number of times. The first condition says that S each time yields
a new value in N . This ensures that N is infinite.
2008/7/14 33
4 Interpretation and Specification
It is not difficult to express the first condition in simple type theory. It suffices
to say that S is injective and always yields a value that is different from O:
∀xy. Sx=Sy → x=y∀x. Sx≠O
The second condition requires an insight. We need to say that every element of
N is reachable from O with S. We can do this by saying that every subset of Nthat contains O and is closed under S is the full set N :
∀p. pO ∧ (∀x. px → p(Sx)) →∀x.px
This formula was first given by Guiseppe Peano in 1889 [30] and is known as
induction axiom. Read the article Peano axioms in Wikipedia to know more. The
conjunction of the three formulas stated above yields the formula nat we were
looking for.
So far, we have the natural numbers just with O and S. Given O and S, it is
straightforward to specify addition + : NNN :
∀y. O +y = y∀xy. Sx + y = x + Sy
The two formulas specify the meaning of the name + by recursion over the first
argument. Recursion is a fundamental programming technique that has been
used by mathematicians for a long time. In case you don’t feel comfortable with
recursion, get yourself acquainted with functional programming (there are plenty
of textbooks, ML and Haskell are the most popular languages).
Exercise 4.4.1 (Multiplication) Extend the specification of the natural number
with a formula that specifies the name · : NNN as multiplication.
Exercise 4.4.2 (Pairs) Let the names pair : στP , fst : Pσ , and snd : Pτ be given.
Find a formula that is satisfied by a logical interpretation I if and only if IP �Iσ × Iτ and pair, fst, and snd are interpreted as the pairing and projection
functions.
Exercise 4.4.3 (Termination) Let r : ααB be a name. Find a formula that is
satisfied by a logical interpretation I if and only if Ir is the functional coding of
a terminating relation.
Exercise 4.4.4 (Finiteness) Let f : σσ be a name.
a) Find a term injective : (σσ)B such that a logical interpretation satisfies the
formula injectivef if and only if it interprets f as an injective function.
34 2008/7/14
4.4 Specification of the Natural Numbers
b) Find a term surjective : (σσ)B such that a logical interpretation satisfies the
formula surjectivef if and only if it interprets f as a surjective function.
c) Find a formula finite that is satisfied by a logical interpretation I if and only
if Iσ is a finite set.
Exercise 4.4.5 (Lists) Let the names nil : L, cons : σLL, hd : Lσ , and tl : LL be
given. Find a formula that is satisfied by a logical interpretation I if and only if Lrepresents all lists over σ and nil, cons, hd, and tl represent the list operations.
Make sure that L contains no junk elements.
2008/7/14 35
4 Interpretation and Specification
36 2008/7/14
5 Formal Proofs
There are two essential requirements for a proof system:
• Soundness: If a formula has a proof, the formula must be valid.
• Decidability: Given a proof object p and a formula s, it must be algorithmically
decidable whether p is a proof of s.
The first proof system was devised by Frege in 1879 [13]. Fifty years later,
Gentzen [16] invented the now predominant sequent-based proof systems.
5.1 Abstract Proof Systems
We start with an abstract notion of proof system. A proof step is a pair
({x1, . . . , xn}, x), which may be written as
x1 . . . xnx
The objects x1, . . . , xn are the premises and the object x is the conclusion of
the proof step. A proof step is primitive if it has no premises. A proof system
is a set of proof steps. The premises and the conclusions of the steps of a proof
system are jointly refered to as propositions. Given a proof system S and a set P ,
the closure S[P] is defined recursively:
1. If x ∈ P , then x ∈ S[P].2. If (Q,x) ∈ S and Q ⊆ S[P], then x ∈ S[P].Due to the recursive definition of closures, we obtain proof trees that verify
statements of the form x ∈ S[P]. The proof tree
x1 x2
x4
x3
x5
x6
verifies the statement x6 ∈ S[{x2}] provided the following pairs are proof steps
of S: (�, x1), (�, x3), ({x1, x2}, x4), ({x3}, x5), ({x4, x5}, x6). Obviously, we
have x ∈ S[P] if and only if there is a proof tree that verifies x ∈ S[P].
37
5 Formal Proofs
Proposition 5.1.1 Let S be a proof system. Then:
1. P ⊆ S[P]2. P ⊆ Q �⇒ S[P] ⊆ S[Q]3. Q ⊆ S[P] �⇒ S[P ∪Q] = S[P]
In practice, proof systems are supposed to be decidable. To this goal a de-
cidable set X of propositions is fixed and S is chosen as a decidable set of proof
steps for X. Given a decidable set P ⊆ X, it is decidable whether a given tree
is a proof tree that verifies x ∈ S[P]. Consequently the closure S[P] is semi-
decidable.
A proposition x is derivable in a proof system S if x ∈ S[�]. A proof step
(P, x) is derivable in a proof system S if x ∈ S[P]. Derivability of a proof step
means that it can be simulated with proof steps that are in S. If we extend a
proof system with derivable steps, the closures do not change. However, we may
obtain smaller proof trees for given x and P . A proof tree that uses derivable
rules can always be compiled into a proof tree just using basic rules.
Let V be a set. A proof step (P, x) applies to V if P ⊆ V . A proof step (P, x)is sound for V if x ∈ V if (P, x) applies to V . A proof system S is sound for V if
every proof step of S is sound for V .
Proposition 5.1.2 A proof system S is sound for V if and only if S[V] = V .
Proposition 5.1.3 If S is sound for V , then S[�] ⊆ V .
Exercise 5.1.4 Let the proof system S = { ({x,y}, z) | x,y, z ∈ N ∧ x · y = z }be given.
a) Determine S[�].
b) Determine S[{2}].c) Give a proof step ({x}, y) ∈ S that has only one premise.
d) Derive the proof step ({2,3},12).
e) Is S sound for the even numbers?
f) Is S sound for the odd numbers?
g) Does S[{2x|x ∈ N}] contain an odd number?
5.2 Deducible Sequents
Our goal are formal proofs for the validity of formulas. The obvious approach
is to establish a proof system for formulas that is sound for the set of valid
formulas. Systems of this kind are known as Hilbert systems. The first such
38 2008/7/14
5.2 Deducible Sequents
system was developed by Frege [13]. Hilbert systems have the disadvantage that
their proof trees are difficult to construct. The reason is that with Hilbert systems
one cannot obtain proof trees whose structure resembles natural proofs.
Natural proofs work with assumptions. For instance, if we want to proof an
implication s ⇒ t, we say “assume s” and then prove t under the assumption s.Similarly, to prove a statement ∀x∈X : s, we say “let x ∈ X” and then prove sunder the assumption x ∈ X. Gerhard Gentzen [16] was the first who designed
proof systems that maintain assumptions in the way natural proofs do. To make
this possible, Gentzen uses sequents rather than formulas as propositions.
A sequent is a pair A � s where A is a finite set of formulas and s is a formula.
The formulas in A are called the assumptions of the sequent, and s is called
the claim of the sequent. A sequent is valid if every logical interpretation that
satisfies all assumptions of the sequent also satisfies the claim of the sequent.
We write � for the set of all valid sequents, and A � s if A � s is valid.
Proposition 5.2.1
1. A formula s is valid if and only if the sequent � � s is valid.
2. A sequent {s1, . . . , sn} � s is valid if and only if the formula s1 → ·· · → sn → sis valid.
We refer to the names for the logical operations (cf. § 4.3) as constants. All other
names are called variables. From now on we tacitly assume the following:
• Constants are not used as local names.
• Substitutions leave constants unchanged. That is, θc = c for every constant cand every substitution θ.
• Interpretations are always logical.
Some conventions and definitions:
• A always denotes a finite set of formulas.
• A context C captures a name x if C ’s hole is in the scope of a λx. For instance,
the context λx.(λy.[])x captures x and y but no other name.
• A context C is admissible for A if C captures no x ∈NA.
• A substitution θ is admissible for A if θx = x for all x ∈NA.
• θs := Sθs• θA := {θs | s ∈ A }We define the following notations for sequents:
• � s for � � s.• A, s � t for A∪ {s} � t.• s, t � u for {s, t} � u.
2008/7/14 39
5 Formal Proofs
TrivA, s � s Weak
A � sB � s A ⊆ B Sub
A � sθA � θs Lam
A � sA � t s ∼λ t
DedA, s � tA � s → t
MPA � s → t A � s
A � t
RefA � s=s Rew
A � s=t A � C[s]A � C[t] C admissible for A
D� � � ≡ ⊥→⊥ D¬ � ¬x ≡ x→⊥
D∨ � x∨y ≡ ¬x→y D∧ � x∧y ≡ ¬(¬x∨¬y)
D∀ � ∀f ≡ f=λx.� D∃ � ∃f ≡ ¬∀x.¬fx
BCA f⊥, f� � fx Choice � ∃c.∀f . ∃f → f(cf)
Figure 5.1: The basic proof system B defining �
Figure 5.1 defines a proof system B for sequents. We refer to this system as
basic proof system. The proof steps of B are described by means of schemes
called rules. Given a rule, the proof steps described by the rule are obtained
by taking the sequents above the horizontal line as premises and the sequent
below the horizontal line as conclusion. The rules Lam and Rew come with side
conditions that constrain the obtainable proof steps. Starting with D¬, we omit
the horizontal line for primitive rules (i.e., rules without premises). Following
a common abuse of notation, we write the sequents appearing as premises and
conclusions of the rules with � rather than �. Every rule comes with a name that
appears to its left.
Proposition 5.2.2 The proof system B is sound for �.
Proof We have to check for every rule in Figure 5.1 that the conclusion is valid
if all the premises are valid. It is ok to think of A as a formula and of � as
implication. With this provisio the soundness of most rules should be intuitively
clear. The soundness of Lam follows with Proposition 4.2.1. �
We define � := B[�] and write A � s for (A � s) ∈ �. A sequent A � s is
deducible if A � s. Since B is sound for �, deducible sequents are valid and
� ⊆ �. The symbol � originated with Frege and is pronounced turnstile.
40 2008/7/14
5.3 Derived Rules for Turnstile and Implication
It is important to distinguish between the set � of deducible sequents and the
proof system B defining it. The set � is canonical and we will work with it for a
long time. The proof system B is not canonical. The set of deducible sequents
can be defined with many other proof systems.
We will study B and � by deriving more and more useful proof steps. We start
with some remarks on the rules given in Figure 5.1. The first line lists general
rules that are not committed to particular logic operations. The rules Ded and
MP in the second line concern implication. Next follow the rules Ref and Rew,
which concern identities. The next 6 rules act as equational definitions of �, ¬,
∨, ∧, ∀, and ∃. The final two rules BCA and Choice state properties that cannot
be obtained with the previous rules. BCA says that a function f : BB that yields
� for both ⊥ and � yiels � for every x : B. Choice states the existence of choice
functions.
The full names of the rules are as follows: Triviality, Weakening, Substitution,
Lambda, Deductivity, Modus Ponens, Reflexivity, Rewriting, and Boolean Case
Analysis. The D stands for definition.
Example 5.2.3 Here is a proof tree that verifies (x→x)→x � x:
(x→x)→x � (x→x)→x Triv(x→x)→x, x � x Triv
(x→x)→x � x→x Ded
(x→x)→x � x MP
5.3 Derived Rules for Turnstile and Implication
The rules in the first 2 lines of Figure 5.1 constitute the kernel of the basic proof
system. They fix the basic properties of � and →. Figure 5.2 shows additional
rules that are derivable from this set of basic rules. A rule is derivable if all its
proof steps are derivable.
Derivation of Ded−
Ded− acts as the inverse of Ded. It is derivable with the following proof tree:
A � s→tA, s � s→t Weak
A, s � s Triv
A, s � t MP
The best way to construct and understand a proof tree is backwards, that is,
from the root to the leaves. To prove a sequent, one looks for a rule that yields
2008/7/14 41
5 Formal Proofs
Ded−A � s→tA, s � t Lam’
A,u � tA, s � t u ∼λ s Cut
A � s A, s � tA � t
Cuts � t A � s
A � t Cuts1, s2 � t A � s1 A � s2
A � t
MP’A � s A, t � uA, s→t � u MP’
A, t � uA, s, s→t � u
Figure 5.2: Derived rules for � and →
the sequent from hopefully weaker premises. One then continues recursively
with proving the premises.
Derivation of Cut
The first cut rule is derivable as follows:
A, s � tA � s→t Ded
A � sA � t MP
It’s best to read the cut rules backwards. The first cut rule says that A � t can be
proven by using a “lemma” A � s and proving the weaker statement A, s � t.
Exercise 5.3.1 Show that Lam’ is derivable. Exploit that with Ded− assumptions
can be shifted to the right of �, and that with Ded they can be shifted back.
Exercise 5.3.2 Prove the second and the third cut rule.
Exercise 5.3.3 Prove MP’.
Exercise 5.3.4 Let θ be admissible for A and A � s. Show A � θs.
Exercise 5.3.5 Show x � (x→⊥)→⊥.
5.4 Derived Rules for Identities
We now look at the basic rules Ref and Rew which handle identities. Figure 5.3
shows the most important derived rules for identities.
42 2008/7/14
5.4 Derived Rules for Identities
SymA � s=tA � t=s Trans
A � s=t A � t=uA � s=u
ConA � s=t
A � C[s]=C[t] C admissible for A
RepA � s=t A � C[θs]
A � C[θt] C, θ admissible for A
RepA � s=t A � C[θt]
A � C[θs] C, θ admissible for A
RepA � s=u A,C[θs] � t
A, C[θu] � t C, θ admissible for A
RepA � s=u A,C[θu] � t
A, C[θs] � t C, θ admissible for A
FEA � sx=txA � s=t x ∉NA∪N (s=t)
AbsA � fx=sA � f=λx.s x ∉NA Abs
A � fxy=sA � f=λxy.s x,y ∉NA
Figure 5.3: Derived rules for identities
Derivation of Sym
A � s=t A � s=s Ref
A � t=s Rew
Derivation of Con
A � s=t A � C[s]=C[s] Ref
A � C[s]=C[t] Rew
2008/7/14 43
5 Formal Proofs
Top � � BCARA � sx⊥ A � sx�
A � s Bot ⊥ � s
EquivA, s � t A, t � s
A � s≡t Eq � x ≡ x = � DN � ¬¬x ≡ x
ContraA,¬s � ⊥A � s Contraposition � x→y ≡ ¬y→¬x Icon x, ¬x � y
N⊥ � ¬⊥ ≡ � N� � ¬� ≡ ⊥ N≡ � x �≡y ≡ x=¬y
Figure 5.4: Derived Rules for � and ¬
Derivation of FEA � sx=tx
A � (λx.sx)=λx.tx Con
A � s=t Lam
Exercise 5.4.1 Prove x=y � y=x with the basic rules.
Exercise 5.4.2 Show that Trans, Rep, and Abs are derivable.
5.5 BCA and Tautologies
A formula is propositional if it can be obtained with the following grammar:
s ::= ⊥ | � | p | ¬s | s → s | s ∧ s | s ∨ s | s ≡ sp : B is a variable
A tautology is a propositional formula that is valid. Typical examples of tautolo-
gies are � and x∧y ≡ y∧x. We will show that all tautologies are deducible. For
this result the rule BCA is essential.
Figure 5.4 shows rules that are derivable in B with BCA.
Derivation of Top
� � ≡ ⊥→⊥ D�⊥ � ⊥ Triv
� ⊥→⊥ Ded
� � Rep
44 2008/7/14
5.5 BCA and Tautologies
Derivation of BCAR
The sequent sx⊥, sx� � s can be derived as follows:
f⊥, f� � fx BCA
(λx.s)⊥, (λx.s)� � (λx.s)x Sub
sx⊥ , sx� � (λx.s)x
Lam’, Lam’
sx⊥ , sx� � s
Lam
Now BCAR can be derived with Cut.
Derivation of Bot
⊥ � ⊥ Triv� � Top
⊥ � � Weak
⊥ � x BCAR
⊥ � s Sub
Derivation of Equiv
With Sub, Cut, and Ded we can derive Equiv from � (x→y) → (y→x) → x≡y .
This sequent can be derived with BCAR from the four instances obtained by
replacing x and y with ⊥ and �. Two of the instances will end with trivial
equations and can thus be obtained with Ded and Ref. Here is a derivation of
one of the remaining instances:
� � Top ⊥ � ⊥ Triv
�→⊥ � ⊥ MP’
�→⊥ � ⊥≡� Bot, Cut
� (⊥→�)→ (�→⊥)→ ⊥≡� Weak, Ded, Ded
Derivation of DN
Here is a proof tree for DN that has one open premise.
� ((x→⊥)→⊥)→ x
(x→⊥)→⊥ � x Ded−
⊥ � ⊥ Triv
x, x→⊥ � ⊥ MP’
x � (x→⊥)→⊥ Ded
� (x→⊥)→⊥ ≡ x Equiv
� ¬x→⊥ ≡ x Rep with D¬
� ¬¬x ≡ x Rep with D¬
2008/7/14 45
5 Formal Proofs
The open premise can be shown with BCAR.
Exercise 5.5.1 Prove � ((x→⊥)→⊥)→x with BCAR. Don’t use DN.
Derivation of ContraA, ¬s � ⊥A � ¬s→⊥ Ded
A � ¬¬s Rep with D¬
A � s Rep with DN
Exercise 5.5.2 Derive � ¬s ≡ s=⊥.
5.6 Natural Deduction
We already mentioned that sequent-based proof systems were invented by
Gentzen [16]. His goal was a system whose proof rules are natural in the
sense that they formalize proof patterns used in mathematical proofs. Fig-
ure 5.5 shows a proof system ND for sequents that closely corresponds to
one of Gentzen’s systems. ND is a well-known proof system of theoretical
and practical importance. Its rules can be found in most proof assistants (e.g,
Isabelle/HOL [29]).
Proposition 5.6.1 The proof steps of ND are derivable in B.
We will derive some of the rules of ND, but this is not our main interest. Rather,
we want to explain the structure behind the rules and how the rules relate to
mathematical proof patterns.
First, we observe that �, negation, and identities do not explicitly occur in
ND. Consequently, ND is weaker than B in that it can prove less sequents. The
omission of � and negation is not essential since they can be treated as abbre-
viations for ⊥ → ⊥ and s → ⊥ (cf. D¬ and D� in Figure 5.1). The omission
of identities, however, forgives expressive power and important proof patterns.
The obmission of identities is typical for natural deduction-like proof systems.
ND has exactly two rules for each of the logical operations →, ∧, ∨, ∀, and ∃.
Let’s refer to these operations as regular. An important modularity property
of ND is the fact that the rules for a regular operation do not employ other
operations. For every regular operation the basic proof steps are thus provided
by exactly two rules that don’t employ the other operations. The exception to
this pattern is the rule CB, which employs ⊥ and implication. CB is the only rule
that employs ⊥. Note that CB is a variant of the Contra rule.
46 2008/7/14
5.6 Natural Deduction
TrivA, s � s Weak
A � sB � s A ⊆ B
DedA, s � tA � s→t MP
A � s→t A � sA � t
I∧A � s1 A � s2A � s1∧ s2
E∧A � s1∧ s2A � si
I∨A � si
A � s1∨ s2E∨
A � s1∨ s2 A, s1 � t A, s2 � tA � t
I∀A � sxyA � ∀x.s y ∉NA∪N (∀x.s) E∀
A � ∀x.sA � sxt
I∃A � sxtA � ∃x.s E∃
A � ∃x.s A, sxy � tA � t y ∉NA∪N (∃x.s)∪N t
CBA, s→⊥ � ⊥
A � s
Figure 5.5: The natural deduction system ND
One distinguishes between introduction and elimination rules. For every reg-
ular operation, ND has one introduction and one elimination rule. In Figure 5.5,
the introduction rules appear left and the elimination rules appear right. For
implication, the introduction rule is Ded and the elimination rule is MP. For ev-
ery regular operation o, the introduction rule formalizes the natural pattern for
proving formulas built with o. The corresponding elimination rule formalizes a
natural pattern for making use of an already proven formula built with o. Note
that the logical operations appear exclusively in the claims of the sequents ap-
pearing as premises and conclusions of the introduction and elimination rules.
The introduction rules can be paraphrased as follows:
• To prove s → t, assume s and prove t.
• To prove s1 ∧ s2, prove both s1 and s2.
• To prove s1 ∨ s2, prove either s1 or s2.
• To prove ∀x.s, prove sxy for some fresh name y .
2008/7/14 47
5 Formal Proofs
• To prove ∃x.s, prove sxt for some term t. The term t is referred to as witness.
We now see why one speaks of natural deduction: The introduction rules in fact
formalize common proof patterns from mathematical proofs. This is also the
case for the elimination rules, which can be paraphrased as follows: If you have
already proven
• s → t, you can prove the claim t by proving s.
• s1 ∧ s2, you have also proven s1 and s2.
• s1∨ s2, you can prove a claim t by case analysis: first with the assumption s1,
then with the assumption s2.
• ∀x.s, you have also proven every instance sxt .
• ∃x.s, you can prove a claim t with the additional assumption sxy where y is a
fresh name.
Proposition 5.6.2 Ded−, Cut, and MP’ are derivable in ND.
Proof Follows with proof trees for B in § 5.3 since only the common rules Triv,
Weak, Ded, and MP are used. �
Proposition 5.6.3 Sub is derivable in ND.
Proof We show how Sub can be derived if only one variable is replaced.
s � t� s→t Ded
� ∀x. s→t I∀
� sxu→txuE∀
sxu � txuDed−
The proof can be generalized to the case where several variables are replaced. �
Which rules do we have to add to ND so that we can derive all rules of B? One
can show that Lam, Ref, Rew, BCA, and Choice do the job. If we add BCA, we can
drop CB since CB can be derived with ND and BCA (see the derivation of Contra
in B in § 5.5). We now see that we can account for the operations ∧, ∨, ∀ and ∃in two ways: through defining equations as done by B, or through proof rules as
done by ND.
Exercise 5.6.4 Consider the sequent f(x→x) � f(y→y). This sequent cannot
be proven in ND. Sketch a proof in B. Derived rules are fine.
48 2008/7/14
5.7 Predicate Logic and Completeness
5.7 Predicate Logic and Completeness
A formula is called first-order if it can be obtained with the following grammar:
s ::= ⊥ | � | p t . . . t | t = t |¬s | s → s | s ∧ s | s ∨ s | s ≡ s | ∀x.s | ∃x.s
t ::= f t . . . t
where p : α . . .αB, x : α, and f : α . . .αα are variables and α ≠ B
The logic obtained with propositional formulas is called propositional logic, and
the one obtained with first-order formulas is called (first-order) predicate logic.
Gentzen devised his natural deduction system for predicate logic without equal-
ity (i.e., without identities). Predicate logic was studied long before the more
general simple type theory was invented. In a native account of predicate logic,
both quantifiers act as variable binders, hence there is no need for lambda terms.
A sequent is propositional [first-order] if all its formulas are propositional
[first-order]. A proof tree is propositional [first-order] if it only involves propo-
sitional [first-order] sequents.
Theorem 5.7.1 (Completeness) For every valid sequent S that doesn’t contain
�, ¬ and identities, the following statements hold:
1. If S is first-order, then S can be derived with a first-order ND proof tree.
2. If S is propositional, then S can be derived with a propositional ND proof tree.
A theorem of this type was first shown by Gentzen [16]. The first completeness
theorem for first-order formulas was shown by Gödel [18] (for a Hilbert system).
A proof system that is complete for all valid sequents cannot exist since the
set of valid formulas is not semi-decidable. This follows from the fact that we
can construct for every Turing machine M a formula s such that M holds for all
inputs if and only if s is valid.
5.8 Natural Language Proofs and Natural Deduction
Proofs
In this section we give examples of provable sequents, natural language proofs
of the sequents, and the corresponding ND proof trees. We begin with a very
simple example.
Example 5.8.1 � ∀x.px → px where x : α and p : αB.
Natural Language Proof: Let x : α be given. Assume px holds. By assumption,
2008/7/14 49
5 Formal Proofs
px holds, so we are done.
(Instead of writing “we are done” we may also write “QED.”)
Formal Proof:
px � px Triv
� px → pxDed
� ∀x.px → pxI∀
Let’s consider a similar example involving a quantifier over the type B of
Booleans.
Example 5.8.2 � ∀p.p → p where p : B.
Natural Language Proof: Let p be a Boolean value. Assume p holds. By assump-
tion, p holds. QED.
Formal Proof:
p � p Triv
� p → pDed
� ∀p.p → pI∀
When the sequent has a nonempty set assumptions, then we can make use
of these assumptions in the proof of the conclusion. Let’s consider an example
with a nonempty set of assumptions.
Example 5.8.3 man Socrates,∀x.manx → mortalx � mortal SocratesNatural Language Proof: Since Socrates is a man and all men are mortal, Socrates
is mortal.
Formal Proof: Let A denote the set {man Socrates,∀x.manx → mortalx}.
A � ∀x.manx → mortalxTriv
A � man Socrates→ mortal SocratesE∀
A �man SocratesTriv
A � mortal SocratesMP
“Socrates is mortal” is a common example of deductive reasoning dating back
to Aristotle. The proof demonstrates a truth that is independent of the sugges-
tive names man, mortal and Socrates. Reconsider the example with less sugges-
tive names. We still write “x is a p” to mean “px holds.” This makes sense in
the Socrates example, since man Socrates means Socrates is a man. Other ways
to say “px holds” include “x has property p,” “x is in p” and “x satisfies p.”
50 2008/7/14
5.8 Natural Language Proofs and Natural Deduction Proofs
Example 5.8.4 pa,∀x.px → qx � qaNatural Language Proof: Since a is a p and every p is a q, a is a q.
Formal Proof: Let A be the set {pa,∀x.px → qx}.
A � ∀x.px → qxTriv
A � pa → qaE∀
A � pa Triv
A � qa MP
So far we have only shown examples involving ∀ and →. We next consider an
example with ∧ and ∨.
Example 5.8.5 a∨ b ∧ c � (a∨ b)∧ (a∨ c) where a, b, c : B.
Natural Language Proof: By case analysis. Case 1: Assume a holds. In this case
a∨ b and a∨ c both hold. Hence their conjunction holds. Case 2: Assume b∧ cholds. This means both b and c hold. Consequently, the disjunctions a∨ b and
a∨ c both hold. Thus the conjunction holds and we are done.
Formal Proof: Let A be the set {a∨b∧c} and A′ be the set {a∨b∧c, b∧c, b, c}.The main proof tree is
A � a∨ b∧ c Triv(Case 1) (Case 2)
A � (a∨ b)∧ (a∨ c) E∨
where (Case 1) is the proof tree
A,a � a Triv
A,a � a∨ b I∨A,a � a Triv
A,a � a∨ c I∨
A,a � (a∨ b)∧ (a∨ c) I∧
(Case 2) is the proof tree
A,b∧ c � b ∧ c Triv
A,b∧ c � b E∧
A,b∧ c, b � b ∧ c Triv
A,b∧ c, b � c E∧
A′ � b Triv
A′ � a∨ b I∨A′ � c Triv
A′ � a∨ c I∨
A′ � (a∨ b)∧ (a∨ c) I∧
A,b∧ c, b � (a∨ b)∧ (a∨ c) Cut
A,b∧ c � (a∨ b)∧ (a∨ c) Cut
We next consider the existential quantifier ∃.
2008/7/14 51
5 Formal Proofs
Example 5.8.6 pa � ∃x.px where x,a : α and p : αB.
Natural Language Proof: We must prove there is some p. We know there is a psince a is a p.
Formal Proof:
pa � pa Triv
pa � ∃x.px I∃
This example using ∃ was too easy. Let’s consider one that requires a bit more
work.
Example 5.8.7 pa∨ pb,∀x.px → qx � ∃x.qx where x,a, b : α and p, q : αB.
Natural Language Proof: We must prove there is some q. We consider two cases.
Case 1: Assume a is a p. Since every p is also a q, a is a q. Hence there is some
q in this case. Case 2: Assume b is a p. Since every p is also a q, b is a q. Hence
there is some q in this case as well and we are done.
Formal Proof: Let A be {pa∨ pb,∀x.px → qx}. The main proof tree is
A � pa∨ pb Triv(Case 1) (Case 2)
A � ∃x.qx E∨
where (Case 1) is the proof tree
A,pa � ∀x.px → qxTriv
A,pa � pa → qaE∀
A,pa � pa Triv
A,pa � qa MP
A,pa � ∃x.qx I∃
and (Case 2) is the proof tree
A,pb � ∀x.px → qxTriv
A,pb � pb → qbE∀
A,pb � pb Triv
A,pb � qb MP
A,pb � ∃x.qx I∃
The next example shows how to use an existential assumption.
52 2008/7/14
5.9 More Derivations
Example 5.8.8 ∃z.pz,∀x.px → q(fx) � ∃y.qy where x,y, z : α, p, q : αB and
f : αα.
Natural Language Proof: We must prove there is some q. We know there is some
p. Let a be a p. We know if x is a p then fx is a q. In particular, fa is a q. We
conclude that there is some q. QED.
Formal Proof: Let A be {∀x.px → q(fx),∃z.pz}.
A � ∃z.pz Triv
A,pa � ∀x.px → q(fx)Triv
A,pa � pa → q(fa)E∀
A,pa � pa Triv
A,pa � q(fa) MP
A,pa � ∃y.qy I∃
A � ∃y.qy E∃
Question: Would the proof tree verify A � ∃y.qy if A were {a = a,∀x.px →q(fx),∃z.pz}? �
The Lam and Ref rules are not part of the ND system. If we add them to the
system, then we can prove the following example.
Example 5.8.9 � ∃f .∀x.fx = x where f : αα and x : α.
Natural Language Proof: We must prove there is some function f such that
fx = x for any x. We can simply take f to be λx.x. Note that for any x,
(λx.x)x is the same as x up to λ-equivalence.
Formal Proof:
� x = x Ref
� ∀x.x = x I∀
� ∀x.(λx.x)x = x Lam
� ∃f .∀x.fx = x I∃
5.9 More Derivations
First we derive I∀ and E∀ in B.
Example 5.9.1 (Universal Generalization, I∀)
A � sA � s = � Rep with Eq
A � (λx.s) = λx.� Con, x ∉NA
A � ∀x.s Rep with D∀
2008/7/14 53
5 Formal Proofs
Example 5.9.2 (Universal Instantiation, E∀)
A � ∀x.sA � (λx.s) = λx.� Rep with D∀
A � (λx.s)t = (λx.�)t Con
A � sxt = �Lam
A � sxtRep with Eq
Example 5.9.3 (D∀) While B accomodates ∧, ∨, ∀, and ∃ through defining equa-
tions (the rules starting with D), ND accommodates these operations through
introduction an elimination rules. Both approaches have the same power. We
have just shown that I∀ and E∀ are derivable with D∀. We now show that D∀ is
derivable with I∀ and E∀. Because of Equiv it suffices to show ∀f � f = λx.�and f = λx.� � ∀f . We show the former and leave the latter as an exercise.
∀x.fx � fx Triv, E∀
∀f � fx Lam’
∀f � fx = � Rep with Eq
∀f � (λx.fx) = λx.� Con
∀f � f = λx.� Lam
Exercise 5.9.4 Derive f = λx.� � ∀f with I∀.
Example 5.9.5 (Extensionality) We have ∀x. fx=gx � f=g. The respective
rule is known as extensionality. Here is a proof tree:
∀x. fx=gx � fx=gx Triv, E∀
∀x. fx=gx � (λx.fx)=λx.gx Con
∀x. fx=gx � f=g Lam
5.10 Simplifying Lam and Sub
The basic proof system can be simplified by replacing Lam and Sub by simpler
rules. This simplification makes it easier to prove soundness. Lam and Sub then
appear as derived rules. Here are the simpler rules:
β � (λx.s)t = sxt η � (λx.fx) = f Eq � x ≡ x=�
First we observe that we can prove Ref with Rew and β:
54 2008/7/14
5.11 Remarks
� (λx.s)x = s β � (λx.s)x = s β
� s = s Rew
So we may also drop Ref. Lam can be derived with Ref, β, η, Con, Sym, and
Trans. To see that Sub is derivable, we first show that the steps� s = t� sxu = txu
are
derivable.
(λx.t)u = txuβ
(λx.s)u = sxuβ
s = t(λx.s)u = (λx.t)u Con
sxu = (λx.t)uRew
sxu = txuRew
Next we show that the steps� s� sxt
are derivable.
� s� s = � Rew with Eq
� (λx.s)t = (λx.�)t Con
� sxt = �Lam
� sxtRew with Eq
Now we obtain the derivability of Sub with Ded− and Ded.
5.11 Remarks
In the first two chapters of their textbook [23], Huth and Ryan give an elementary
introduction to natural deduction. They use a popular graphical notation for
natural deduction proofs and give many examples. To know more about proof
systems, you may consult the textbook by Troelstra and Schwichtenberg [38]. An
excellent source of historical information on logic is the Stanford Encyclopedia
of Philosophy [41], which is available online. The following text is taken from the
entry The Development of Proof Theory (with minor changes).
Before the work of Frege in 1879 [13], no one seems to have maintained that
there could be a complete set of principles of proof, in the sense expressed by
Frege when he wrote that in his symbolic language, “all that is necessary for a
correct inference is expressed in full, but what is not necessary is generally not
indicated; nothing is left to guesswork.” Even after Frege, logicians such as Peano
2008/7/14 55
5 Formal Proofs
β(λx.s)t = sxt
η(λx.fx) = f Rew
s = t C[s]
C[t]
Figure 5.6: The proof system L
kept formalizing the language of mathematical arguments, but without any ex-
plicit list of rules of proof. Frege’s step ahead was decisive for the development
of logic and foundational study.
Russell took up Frege’s logic, but used the notation of Peano, and thus formu-
lated an axiomatic approach to logic. The idea was that the axioms express basic
logical truths, and other logical truths are derived from these through modus
ponens and universal generalization (I∀), the two principles Frege had identi-
fied. Mathematics was to be reduced to logic, so that its proofs would become
presented in the same axiomatic pattern.
In his thesis Untersuchungen über das logische Schliessen (Investigations into
Logical Inference, under the supervision of Bernays, accepted in June 1933 and
published in two parts in 1934-35), Gentzen states that he set as his task the
analysis of mathematical proofs as they occur in practice. Hilbert’s lecture in
Hamburg in 1930 is one obvious source of inspiration for this venture. The first
observation is that actual proofs are not based on axioms expressed in a logical
language, as in Hilbert’s axiomatic proof theory. The most typical feature is
instead that theorems make their claims under some assumptions.
5.12 Bonus: Equational Deduction
The proof system L consists of the proof steps described by the rules in Fig-
ure 5.6. The premises and conclusions of the steps of L are formulas. Note that
every formula in L[�] is an equation.
Proposition 5.12.1 (Soundness)
1. L is sound for { s=t | s ∼λ t }.2. L is sound for the set of valid formulas.
Proof We have →β ∪ →η ⊆ ∼λ by the definition of lambda equivalence in § 3.6.
Hence the proof steps described by β and η are sound for lambda equivalent
equations. The soundness of the steps described by Rew follows from the com-
patibility, symmetry, and transitivity of lambda equivalence (Proposition 3.6.7).
We omit the soundness proof for valid formulas. �
56 2008/7/14
5.12 Bonus: Equational Deduction
Refs = s Sym
s = tt = s Trans
s = t t = us = u Con
s = tC[s] = C[t]
Subs = tθs = θt α
(λx.s) = λy.sxyy ∉N (λx.s) Lam
s
ts ∼λ t
Reps = t C[θs]
C[θt]Rep
s = t C[θt]
C[θs]
Appf = λx.ufs = uxs
Appf = λxy.ufst = uxys t
Absfx = sf = λx.s Abs
fxy = sf = λxy.s
FEsx = txs = t x ∉N (s = t)
Figure 5.7: Rules derivable in L
Figure 5.7 shows some rules that are derivable in L. We give some of the
derivations and leave the others as exercises.
Derivation of Ref
(λx.s)x = s β(λx.s)x = s β
s = s Rew
Derivation of Sym
s = t s = s Ref
t = s Rew
Exercise 5.12.2 Derive Trans in L.
2008/7/14 57
5 Formal Proofs
Derivation of Con
s = t C[s] = C[s] Ref
C[s] = C[t] Rew
Derivation of Sub
We show how Sub can be derived if only one variable is replaced.
(λx.t)u = txuβ
(λx.s)u = sxuβ
s = t(λx.s)u = (λx.t)u Con
sxu = (λx.t)uRew
sxu = txuRew
The derivation can be generalized to the case where several variables are re-
placed.
Derivation of α
(λx.s)y = sxyβ
(λy.fy) = f η
f = λy.fy Sym
(λx.s) = λy.(λx.s)y Sub, y ∉N (λx.s)
(λx.s) = λy.sxyRew
Derivation of Lam
Proposition 5.12.3 L[�] = { s=t | s ∼λ t }.
Proof The direction ⊆ follows from the fact that L is sound for lambda equiva-
lent equations (Proposition 5.12.1). To see the other direction, we first observe
that s = t is derivable in L if s →λ t (rules β, η, α, Con). Now the rest follows
from the definition of ∼λ with Ref, Sym, and Trans. �
The derivability of Lam now follows with Rew.
Exercise 5.12.4 Derive Rep, App, Abs, and FE in L.
Equational Deduction with Sequents
The proof system ED consists of the proof steps described by the rules in Fig-
ure 5.8. The premises and conclusions of the steps of ED are sequents.
Proposition 5.12.5 (Soundness) ED is sound for valid sequents.
58 2008/7/14
5.12 Bonus: Equational Deduction
β � (λx.s)t = sxtη � (λx.fx) = f
RewA � s=t A � C[s]
A � C[t] C admissible for A
TrivA, s � s Weak
A � sB � s A ⊆ B
CutA � s A, s � t
A � t SubA � sθA � θs
Figure 5.8: The proof system ED
Lemma 5.12.6 A proof step ({s1, . . . , sn}, s) is derivable in L if and only if the
proof step ({ � s1, . . . , � sn}, � s) is derivable in ED.
Proof The direction from L to ED is easy. The other direction follows from the
fact that for every step (P,A � s) ∈ ED and every premise (B � t) ∈ P we have
B ⊆ A. Hence a proof tree for a sequent � s will only involve sequents with an
empty assumption set and hence will not involve the rules Triv and Weak. �
Proposition 5.12.7 � s=t derivable in ED if and only if s ∼λ t.
Exercise 5.12.8 Generalize the derived rules in Figure 5.7 to ED. For instance,
Sym generalizes toA � s=tA � t=s . Of particular interest are the rules Con, Sub, Rep,
Abs and FE, which need side conditions.
2008/7/14 59
5 Formal Proofs
60 2008/7/14
6 Tableau Proofs
In Chapter 4 we learned about logical interpretations. Logical interpretations
give us a notion of validity. In Chapter 5 we learned about proof systems. The
proof system B gives us a notion of deducibility. Using the basic and derived
proof rules presented in Chapter 5 to deduce a sequent often requires a great
deal of creativity. In this chapter we will make the process of proving a sequent
more mechanical.
6.1 An Example: Peirce’s Law
Before going on, let us consider an interesting formula called Peirce’s Law:
((p → q) → p) → p
Here we assume p, q : B are (distinct) names. We can argue that Peirce’s Law is
valid by considering logical interpretations.
Let I be any logical interpretation. The interpretation I(→) of implication
must be the function in B → B → B such that
I(→)ab equals
{0 if a = 1 and b = 0
1 if a = 0 or b = 1
for a, b ∈ B. In other words, I � s → t iff (if and only if) either I � ¬s or I � t.Likewise, I � ¬(s → t) iff both I � s and I � ¬t.
Assume Peirce’s Law were not valid. Then there must be some logical inter-
pretation I such that
I � ¬(((p → q)→ p) → p).
Consequently,
I � ¬p
and
I � ((p → q) → p.
Hence either I � p or I � ¬(p → q). We cannot have I � p since this contradicts
I � ¬p. So we must have I � ¬(p → q). This means I � ¬q and I � p, which
again contradicts I � ¬p. Therefore, there can be no such logical interpretation
61
6 Tableau Proofs
¬(((p → q)→ p)→ p)
(p → q)→ p
¬pp ¬(p → q)
p
¬q
¬(((p → q)→ p)→ p)(p → q) → p
¬p
p¬(p → q)
p¬q
Figure 6.1: Tableau for Peirce’s Law (in two formats)
I . In other words, Peirce’s Law is valid. We summarize this argument in the form
of a tree (in two formats) in Figure 6.1. Let us call this tree a tableau for Peirce’s
law. (We will soon define the general notion of a tableau.) The root of the tree
contains the negation of Peirce’s Law. Each child node represents a consequence
of its ancestors. We represent the case split by splitting the main branch into
two branches.
Now that we have an idea of why Peirce’s Law is valid, let us attempt to prove
it using the rules from Chapter 5. Our goal is to derive
� ((p → q)→ p) → p.
Applying Ded, we can reduce this to proving
((p → q)→ p) � p.
Using MP and Triv we can reduce this to proving
((p → q) → p) � p → q.
Applying Ded, this reduces to deriving
((p → q)→ p), p � q.
So far we have constructed the following partial proof tree:
62 2008/7/14
6.1 An Example: Peirce’s Law
(p → q)→ p
p
¬qp ¬(p → q)
p
¬q
((p → q) → p)p¬q
p¬(p → q)
p¬q
Figure 6.2: Tableau for sequent (6.1) in two formats
(p → q)→ p � (p → q)→ pTriv
(p → q)→ p,p � q(p → q)→ p � p → q
Ded
(p → q) → p � p MP
� ((p → q) → p) → pDed
It remains to derive the sequent
((p → q)→ p), p � q. (6.1)
It is not clear what we can do to make progress towards deriving (6.1). Instead
of applying more rules, let us consider why the sequent (6.1) might be valid. We
proceed exactly as we did for Peirce’s Law. Assume we have an intepretation Iwitnessing that (6.1) is not valid. That is, I � (p → q) → p, I � p and I � ¬q.
Since I � (p → q) → p, we must have either I � p or I � ¬(p → q). In the
second case we must have I � p and I � ¬q. Figure 6.2 represents these steps
as a tableau. We did not reach any contradiction. In fact, if we take I to be a
logical interpretation where Ip = 1 and Iq = 0, then all of the formulas in the
tree are satisfied by I . In this case we have shown that the sequent
((p → q)→ p), p � q
is not valid. As a consequence of soundness, we know there is no proof tree
ending with ((p → q)→ p), p � q.
What happened? We were easily able to argue (using interpretations) that
Peirce’s Law was valid, but we got lost when trying to prove it. We were also
2008/7/14 63
6 Tableau Proofs
ClosedA, s,¬s � ⊥ Imp
A, t � ⊥ A,¬s � ⊥A � ⊥ s → t ∈ A, t ∉ A, ¬s ∉ A
NegImpA, s,¬t � ⊥A � ⊥ ¬(s → t) ∈ A, {s,¬t} �⊆ A
Figure 6.3: Some derivable refutation rules
easily able to show we were “lost” by arguing (again using interpretations) that a
subgoal was not valid. In the latter case, the argument gave us an interpretation
I showing the subgoal is not valid.
Can the argument for validity of Peirce’s Law (as depicted in Figure 6.1) serve
as a guide to proving Peirce’s Law? The answer is yes. In fact, if we have the
derived rules in Figure 6.3, then Figure 6.1 directly corresponds to the proof tree
A,¬p,p � ⊥ ClosedA,¬p,¬(p → q), p,¬q � ⊥ Closed
A,¬p,¬(p → q) � ⊥ NegImp
¬(((p → q)→ p) → p), (p → q)→ p,¬p � ⊥ Imp
¬(((p → q)→ p) → p) � ⊥ NegImp
� ((p → q) → p) → pContr
where A = {¬(((p → q) → p) → p), (p → q)→ p}.Exercise 6.1.1 Prove the following rules are derivable. You may use any of the
basic or derived rules from Chapter 5.
a)
Contra−A � s
A,¬s � ⊥
b)
I¬A, s � ⊥A � ¬s
c)
I¬−A � ¬sA, s � ⊥
d) Prove the rules in Figure 6.3 are derivable.
64 2008/7/14
6.2 Refutations
6.2 Refutations
A refutation step is a proof step of the form
A1 � ⊥ . . . An � ⊥A � ⊥
where n ≥ 0 and A ⊂ Ai (i.e., A ⊆ Ai and A �= Ai) for each i ∈ {1, . . . , n}. A
refutation rule is a schema of refutation steps. We will introduce a number of
refutation rules throughout this chapter by giving a diagram
A1 � ⊥ . . . An � ⊥A � ⊥ φ
We restrict instances of refutation rules to be refutation steps. We have already
seen three refutation rules in Figure 6.3. Note that
p → q,p, q � ⊥ p → q,p,¬p � ⊥p → q,p � ⊥
is an instance of the Imp rule. On the other hand,
p → q,¬p, q � ⊥ p → q,¬p � ⊥p → q,¬p � ⊥
is not an instance of the Imp rule since it is not a refutation step.
Exercise 6.2.1 Which of the following are instances of the refutation rule
NegImp.
a)
¬p,p,¬q � ⊥¬p,¬(p → q) � ⊥
b)
¬p,¬(p → q), p,¬q � ⊥¬p,¬(p → q) � ⊥
c)
¬(p → q), p,¬q � ⊥¬(p → q), p � ⊥
d)
¬(p → q), p,¬q � ⊥¬(p → q), p,¬q � ⊥
2008/7/14 65
6 Tableau Proofs
A refutation of A is a proof tree for A � ⊥ where each step is a refutation
step. Note that every sequent in a refutation must be of the form A � ⊥.
Each of the refutation rules we give in this chapter will be derivable in the
basic proof system B. Consequently, we will always be assured that if we have a
refutation of A using the refutation rules presented in this chapter, then we also
have A � ⊥.
Note that for any sequent A � s, we can reduce the problem of proving A � sto the problem of finding a refutation of A,¬s by using the Contra rule.
Also, if we are trying to prove A � ⊥ and apply a refutation rule, then each
new subgoal will be Ai � ⊥ with A ⊂ Ai. Note that any interpretation satisfying
Ai will necessarily satisfy A. We can never end up with a subgoal that is not valid
unless A � ⊥ was not valid to begin with. This is in contrast to the ND system.
We say in the case of Peirce’s Law that applying ND rules such as MP can yield
subgoals that are not valid even if the conclusion is valid. When we search with
ND rules, we may need to backtrack. When we search with refutation rules, we
never need to backtrack.
6.3 Tableaux
Just as the refutation of Peirce’s Law can be viewed as the tree in Figure 6.1, any
refutation can be viewed as such a tree. Suppose we have a refutation rule of the
form
A, P1 � ⊥ . . . A, Pn � ⊥A � ⊥ P ⊆ A, . . .
Note that each refutation rule (read from bottom to top) allows us to expand
the set of assumptions. Suppose P = {s1, . . . , sm} and Pi = {ti1, . . . , tiki} for each
i ∈ {1, . . . , n}. According to the refutation rule, if we have s1, . . . , sm in our
set of assumptions, then we can split the goal into n cases. In the case ith case
(where i ∈ {1, . . . , n}), we can add ti1, . . . , tiki to our assumptions. As in Figure 6.1,
we include assumptions by extending the relevant branch of the tree and we
distinguish cases by splitting the relevant branch into several branches. Given
this convention, a tableau view of such a rule is shown in Figure 6.4. Figure 6.4
should be read operationally: if a branch contains all the formulas above the
line (and any side condition holds with respect to the branch), then we split the
branch into n branches where we add {ti1, . . . , tiki} to the ith branch. We can
also depict this operation as shown in Figure 6.5: if a branch on the current
tableau contains all the formulas on the solid line, then applying the refutation
rule allows us to extend the tableau by adding the dotted portions (so long as
any side condition holds with respect to the branch).
66 2008/7/14
6.3 Tableaux
s1, . . . , smt11 , . . . , t
1k1
· · · tn1 , . . . , tnkn
Figure 6.4: Tableau view of a refutation rule
s1
...
sm
t11
...
t1k1
· · · tn1
...
snkn
Figure 6.5: Refutation rule as an operation on a tableau
How do tableaux correspond to refutations? For each branch of a tableau
there is a set A of formulas that occur on the branch. If the tableau has nbranches with corresponding sets of formulas A1, . . . , An, then we have n se-
quents to prove, namely
A1 � ⊥ · · · An � ⊥
For some of the branches, we may be able to apply a refutation rule with no
premisses. One example of such a rule is the Closed rule in Figure 6.3. This rule
is given along with four other refutation rules with no premisses in Figure 6.6.
If one of these rules applies, then we say the branch is closed. In other words, a
branch with a set of formulas A is closed if one of the following holds:
1. {s,¬s} ⊆ A,
2. ⊥ ∈ A,
3. ¬� ∈ A,
4. ¬(s = s) ∈ A, or
5. (s = t),¬(t = s) ∈ A.
Otherwise, we say the other branches are open. At any stage of the proof, our
goal is to prove the sequent A � ⊥ for each open branch with formulas A.
We think of the formulas on a branch conjunctively. We think of the collection
2008/7/14 67
6 Tableau Proofs
ClosedA,⊥ � ⊥ Closed
A,¬� � ⊥ ClosedA, s,¬s � ⊥
Closed¬ =A,¬(s = s) � ⊥ ClosedSym
A, (s = t),¬(t = s) � ⊥
Figure 6.6: Derivable refutation rules with no premisses
of branches disjunctively. For a logical interpretation I , we say I satisfies a
branch if it satisfies every formula on the branch. We say a branch is satisfiable
if there is some logical interpretation I that satisfies the branch.
Suppose a branch with a set of formulas A is closed. Then A � ⊥ is derivable
(using one of the derived rules in Figure 6.6. By soundness, A is unsatisfiable. In
other words, the branch is unsatisfiable. If every branch of a tableau is closed,
then every branch is unsatisfiable.
Suppose C is a set of formulas such that every formula s ∈ C is on every
branch in the tableau. In this case, if some branch is satisfiable, then C is satisfi-
able.
6.4 Refutation Rules for Propositional Logic
We have already seen refutation rules for → in Figure 6.3. Also, there are two
refutation rules in Figure 6.6 for � and ⊥. In this section we will derivable refu-
tation rules corresponding to the logical constants ¬, ∧, ∨ and =B . We also show
the tableau views of the rules. These rules will be enough to prove any valid for-
mula of propositional logic. That is, we will prove our first completeness results.
Refutation rules for propositional constants (including the two rules for →)
are given in Figure 6.7. In each of the rules we implicitly assume that A is a proper
subset of the left hand side of the sequent in each premiss. The corresponding
tableau views are shown in Figure 6.8. The rules are depicted as operations on
tableaux in Figure 6.9. We say a set of formulas A has a propositional refutation
if there is a refutation of A using only the rules in Figures 6.6 and 6.7.
We can now state the completeness result we want to prove.
Theorem 6.4.1 (Propositional Completeness)
1. If A is an unsatisfiable finite set of propositional formulas, then there is a
propositional refutation of A.
68 2008/7/14
6.4 Refutation Rules for Propositional Logic
DNegA, s � ⊥A � ⊥ ¬¬s ∈ A DeMorgan
A,¬s ∧¬t � ⊥A � ⊥ ¬(s ∨ t) ∈ A
DeMorganA,¬s ∨¬t � ⊥
A � ⊥ ¬(s ∧ t) ∈ A AndA, s, t � ⊥A � ⊥ s ∧ t ∈ A
OrA, s � ⊥ A, t � ⊥
A � ⊥ s ∨ t ∈ A ImpA, t � ⊥ A,¬s � ⊥
A � ⊥ s → t ∈ A
NegImpA, s,¬t � ⊥A � ⊥ ¬(s → t) ∈ A
Boolean=A, s, t � ⊥ A,¬s,¬t � ⊥
A � ⊥ s ≡ t ∈ A
Boolean �=A, s,¬t � ⊥ A, t,¬s � ⊥
A � ⊥ ¬(s ≡ t) ∈ A
Figure 6.7: Derivable refutation rules for propositional constants
DNeg¬¬ss
DeMorgan¬(s ∨ t)¬s ∧¬t DeMorgan
¬(s ∧ t)¬s ∨¬t
Ands ∧ ts, t
Ors ∨ ts t
Imps → tt ¬s NegImp
¬(s → t)s,¬t
Boolean= s ≡ ts, t ¬s,¬t Boolean �= ¬(s ≡ t)
s,¬t t,¬s
Figure 6.8: Tableau views of refutation rules for propositional constants
2008/7/14 69
6 Tableau Proofs
DNeg
¬¬s
s
DeMorgan
¬(s ∧ t)
¬s ∨¬t
DeMorgan
¬(s ∨ t)
¬s ∧¬t
And
s ∧ t
s
t
Or
s ∨ t
s t
Imp
s → t
t ¬s
NegImp
¬(s → t)
s
¬t
Boolean=s =B t
s
t
¬s
¬t
Boolean �=¬(s =B t)
s
¬t
t
¬s
Figure 6.9: Propositional refutation rules as operations on tableaux
2. If A is a finite set of propositional formulas, s is a propositional formula and
A � s, then A � s.
Since the Contra rule is derived and all the rules in Figures 6.6 and 6.7 are
derived, the second part of Theorem 6.4.1 follows from the first part by consid-
ering the set A,¬s. That is, we only need to prove the first part of Theorem 6.4.1.
We will eventually prove that either A has a refutation or A is satisfiable. We first
prove that if we reach a proof state with subgoal A � ⊥ but none of the refutation
rules apply, then A must be satisfiable.
What does it mean to say none of the refutation rules applies? We mean
that no refutation step which is an instance of one of the refutation rules has
conclusion A � ⊥.
Suppose we are trying to prove � (q → p) → p. This reduces to refuting
{¬((q → p) → p)}. Applying the refutation rules we can construct the following
70 2008/7/14
6.4 Refutation Rules for Propositional Logic
tableau with two branches:¬((q → p) → p)
q → p¬p
p ¬qThe left branch is closed since both p and ¬p occur on the branch. The right
branch is open and corresponds to the subgoal A � ⊥ where
A = {¬((q → p) → p), (q → p),¬p,¬q}.
Can we apply any of the refutation rules in Figures 6.6 and 6.7 to reduce A � ⊥to new subgoals? In other words, does any instance of the refutation rules in
Figures 6.6 and 6.7 have conclusion A � ⊥? Inspecting each of the rules, we
find that no instance of the rules has conclusion A � ⊥. The only rules that
might apply are NegImp since ¬((q → p) → p) ∈ A and Imp since (q → p) ∈ A.
However, NegImp does not apply since {(q → p), (¬p)} ⊆ A and Imp does not
apply since ¬q ∈ A.
Clearly we cannot use the refutation rules in Figures 6.6 and 6.7 to refute
A = {¬((q → p) → p), (q → p),¬p,¬q}.
IsA satisfiable? In other words, is there a logical interpretation I such that I � A?
Yes, there is such a logical interpretation and we define one now. We will also
make use of this interpretation (appropriately modified) to prove that whenever
no instance of the refutation rules in Figures 6.6 and 6.7 has conclusion A � ⊥,
then A is satisfiable.
We define a default interpretation Id as follows. On the sort B, we take
IdB = {0,1}. On every other sort α, we take Idα to be the singleton set {�}. On
function types τσ , Id(τσ) is defined to be the set of functions from Idτ to Idσ .
We can define a default element dτ of each Idτ as follows:
dB = 0 ∈ IdB,
dα = � ∈ Idα for other sorts α,
and
dτσ = (λx ∈ Idτ.dσ) ∈ Id(τσ).Note that the use of λ above is to describe a function, not a term. We have defined
dτσ as the function in Id(τσ) which takes each element of Idτ to dσ ∈ Idσ . For
each logical constant c of type σ , we define Idc to be the unique element of Idσwhich has the property corresponding to the constant. For variables x of type σ ,
we define Idx = dσ . That is, all variables are interpreted as the default element
of the given type.
2008/7/14 71
6 Tableau Proofs
One can easily see that Id � A since Idp = 0 and Idq = 0. We can use a similar
idea to prove the following general result.
Proposition 6.4.2 Let A be a finite set of propositional formulas. If no instance
of the refutation rules in Figures 6.6 and 6.7 has conclusion A � ⊥, then A is
satisfiable.
For any set A of propositional formulas we can construct a logical interpreta-
tion IA such that
IAp ={
1 if p ∈ A0 if p ∉ A
We define IA as follows:
IAσ = Idσ
for all types σ ,
IAp = 1
if p ∈ A (where p is a variable), and
IAa = Ida
for every other name a. Clearly IA � p for names p ∈ A. We cannot in general
conclude IA � A (i.e., IA � s for all s ∈ A). However, we will soon define a
property ∇Prop of sets A of formulas which will guarantee IA � A. Once we
define ∇Prop we will be able to prove two lemmas. Proposition 6.4.2 will follow
from these two lemmas.
Lemma 6.4.3 Let A be a finite set of formulas. If no instance of the refutation
rules in Figures 6.6 and 6.7 has conclusion A � ⊥, then A satisfies ∇Prop.
Lemma 6.4.4 Let A be a set of formulas satisfying ∇Prop. For all propositional
formulas s, we have the following:
1. If s ∈ A, then IAs = 1.
2. If ¬s ∈ A, then IAs = 0.
To see that Proposition 6.4.1 follows from the two lemmas, we argue as fol-
lows. Suppose A is a finite set of propositional formulas and no instance of the
refutation rules in Figures 6.6 and 6.7 has conclusion A � ⊥. By Lemma 6.4.3 Asatisfies ∇Prop. By the first property in Lemma 6.4.4, IA � A.
The property ∇Prop will be the conjunction of several properties. We will call
these properties Hintikka properties. In order to simplify the presentation, let
72 2008/7/14
6.4 Refutation Rules for Propositional Logic
us first consider the fragment of propositional logic with negation and implica-
tion. Let Prop→ be the set of formulas determined by the grammar
s ::= p | ¬s | s → s
p : B is a variable
We define the following Hintikka properties of a set A of formulas:
∇c For all formulas s, s ∉ A or ¬s ∉ A.
∇¬¬ If ¬¬s ∈ A, then s ∈ A.
∇→ If s → t ∈ A, then ¬s ∈ A or t ∈ A.
∇¬→ If ¬(s → t) ∈ A, then s ∈ A and ¬t ∈ A.
Let ∇Prop→ be the conjunction of these four Hintikka properties.
We now prove the following simplified versions of Lemmas 6.4.3 and 6.4.4.
Lemma 6.4.5 (Simplified version of Lemma 6.4.3) Let A be a finite set of formu-
las. If no instance of the refutation rules in Figures 6.6 and 6.7 has conclusion
A � ⊥, then A satisfies ∇Prop→.
Lemma 6.4.6 (Simplified version of Lemma 6.4.4) Let A be a set of formulas
satisfying ∇Prop→. For all s ∈ Prop→, we have the following:
1. If s ∈ A, then IAs = 1.
2. If ¬s ∈ A, then IAs = 0.
Proof (Proof of Lemma 6.4.5) We verify each of the four properties. The care-
ful reader will note that we can prove the result even if all we know is that no
instance of the rules Closed, DNeg, Imp or NegImp has conclusion A � ⊥.
∇c Assume ∇c does not hold. Then {s,¬s} ⊆ A for some formula s. In this
case an instance of the rule Closed has conclusion A � ⊥, contradicting our
assumption.
∇¬¬ Assume ∇¬¬ does not hold. We must have ¬¬s ∈ A and s ∉ A. In this case
an instance of DNeg has conclusion A � ⊥ (and premiss A, s � ⊥).
∇→ Assume ∇→ does not hold. We must have s → t ∈ A, ¬s ∉ A and t ∉ A. In
this case an instance of Imp has conclusion A � ⊥ (and premisses A,¬s � ⊥and A, t � ⊥).
∇¬→ Assume ∇¬→ does not hold. We must have ¬(s → t) ∈ A and {s,¬t} �⊆A. In this case an instance of NegImp has conclusion A � ⊥ (and premiss
A, s,¬t � ⊥). �
Proof (Proof of Lemma 6.4.6) The proof is by induction on the structure of s ∈Prop→. We need to prove for every s ∈ Prop→ the two properties hold:
2008/7/14 73
6 Tableau Proofs
(1s ) If s ∈ A, then IAs = 1.
(2s ) If ¬s ∈ A, then IAs = 0.
There are three kinds of formulas in Prop→: variables p, negations ¬s and
implications s → t. We consider each case.
For the base case of the induction we consider a variable p ∈ Prop→.
(1p): Assume p ∈ A. We must prove IAp = 1. This is trivial since IAp was
defined to be 1.
(2p): Assume ¬p ∈ A. We must prove IAp = 0. By ∇c we know p ∉ A. By
definition IAp = 0.
Next we consider ¬s ∈ Prop→. Our inductive hypothesis is that both (1s) and
(2s ) hold.
(1¬s): Assume ¬s ∈ A. We must prove IA(¬s) = 1. By (2s) we know IAs = 0 and
so IA(¬s) = 1.
(2¬s): Assume ¬¬s ∈ A. We must prove IA(¬s) = 0. By ∇¬¬ we have s ∈ A. By
(1s) we know IAs = 1 and so IA(¬s) = 0.
Finally we consider s → t ∈ Prop→. Our inductive hypothesis is that (1s), (2s ),
(1t) and (2t) hold.
(1s→t): Assume s → t ∈ A. We must prove IA(s → t) = 1. By ∇→ either ¬s ∈ Aor t ∈ A. If ¬s ∈ A then IAs = 0 by (2s) and so IA(s → t) = 1. If t ∈ A then
IAt = 1 by (1t) and so IA(s → t) = 1. In either case we have the desired result.
(2s→t) Assume ¬(s → t) ∈ A. We must prove IA(s → t) = 0. By ∇¬→ both
s ∈ A and ¬t ∈ A. By (1s ) and (2t) we have IAs = 1 and IAt = 0. Hence
IA(s → t) = 0. �
We now define ∇Prop as the conjunction of the following 12 properties of a
set A of formulas:
∇c For all formulas s, s ∉ A or ¬s ∉ A.
∇⊥ ⊥ ∉ A.
∇¬� ¬� ∉ A.
∇¬¬ If ¬¬s ∈ A, then s ∈ A.
∇→ If s → t ∈ A, then ¬s ∈ A or t ∈ A.
∇¬→ If ¬(s → t) ∈ A, then s ∈ A and ¬t ∈ A.
∇∨ If s ∨ t ∈ A, then s ∈ A or t ∈ A.
∇¬∨ If ¬(s ∨ t) ∈ A, then ¬s ∈ A and ¬t ∈ A.
∇∧ If s ∧ t ∈ A, then s ∈ A and t ∈ A.
∇¬∧ If ¬(s ∧ t) ∈ A, then ¬s ∈ A or ¬t ∈ A.
∇≡ If s ≡ t ∈ A, then {s, t} ⊆ A or {¬s,¬t} ⊆ A.
74 2008/7/14
6.4 Refutation Rules for Propositional Logic
∇�≡ If ¬(s ≡ t) ∈ A, then {s,¬t} ⊆ A or {¬s, t} ⊆ A.
Note that this includes the four properties we used to define ∇Prop→. We can
prove Lemmas 6.4.3 and 6.4.4 using the same techniques as Lemmas 6.4.5
and 6.4.6. We sketch the proofs and leave the reader to check the details.
Proof (Proof of Lemma 6.4.3) ∇c ,∇⊥,∇¬� since Closed does not apply.
∇¬¬ since DNeg does not apply.
∇→ since Imp does not apply.
∇¬→ since NegImp does not apply.
∇∨ since Or does not apply.
∇¬∨ since otherwise either DeMorgan or And would apply.
∇∧ since And does not apply.
∇¬∧ since otherwise either DeMorgan or Or would apply.
∇≡ since Boolean= does not apply.
∇�≡ since Boolean �= does not apply. �
Proof (Proof of Lemma 6.4.4) The proof is by induction on the propositional
formula s:
• For variables p use ∇c .• For � use ∇¬�.
• For ⊥ use ∇⊥.
• For ¬s use ∇¬¬.
• For s → t use ∇→ and ∇¬→.
• For s ∨ t use ∇∨ and ∇¬∨.
• For s ∧ t use ∇∧ and ∇¬∧.
• For s ≡ t use ∇≡ and ∇¬≡. �
Finally, we can prove propositional completeness.
Proof (Proof of Theorem 6.4.1) SupposeA is an unsatisfiable finite set of propo-
sitional formulas and A has no propositional refutation. We will prove a contra-
diction.
First we define the height h(s) of a propositional formula s by induction as
follows:
h(p) = 1 h(�) = 1
h(⊥) = 1 h(¬s) = 1+ h(s)h(s → t) = 1+max(h(s), h(t)) h(s ∧ t) = 1+max(h(s), h(t))h(s ∨ t) = 1+max(h(s), h(t)) h(s ≡ t) = 1+max(h(s), h(t))
2008/7/14 75
6 Tableau Proofs
Let H be the maximum height of the propositional formulas in A. There are
only finitely many names in NA and there are only finitely many propositional
formulas s with maximum height H such that N s ⊆NA. Let F be this finite set.
Clearly A ⊆ F .
By Proposition 6.4.2 there is some instance of a rule from Figures 6.6 and 6.7
of the form
A1 � ⊥ . . . An � ⊥A � ⊥
Since A has no propositional refutation, at least one Ai must have no proposi-
tional refutation. Examining the rules, we also see that Ai ⊆ F since the pre-
misses never have greater height than any formula in the conclusion and every
name occurring free in the premisses must have occurred free in the conclusion.
Also, since A is unsatisfiable and A is a (proper) subset of Ai, Ai is also unsatis-
fiable. Let C0 be A and C1 be A. We will define an infinite sequence of sets Cn
recursively.
Suppose we have an unsatisfiable set Cn ⊆ F which has no propositional refu-
tation. As above, there must be an instance of one of the rules with conclusion
Cn � ⊥ and a premiss Cn+1 � ⊥ where Cn+1 has no propositional refutation.
Again, Cn is a proper subset of Cn+1 and Cn+1 ⊆ F . By induction we have an
infinite chain
C0 ⊂ C1 ⊂ C2 ⊂ · · · ⊂ Cn ⊂ · · ·
Since each inclusion is proper,⋃n Cn must be infinite. On the other hand⋃
n Cn is a subset of the finite set F since each Cn ⊆ F . This is a contradiction. �
Implicit in the proof above is the fact that any search for a proof will either
terminate with a refutation or with a satisfiable set of propositional formulas
extending the set we intended to refute. Consequently, we have a decision pro-
cedure for propositional formulas.
6.5 Quantifiers
We now consider refutation rules for quantifiers and the corresponding tableaux.
The refutation rules are shown in Figure 6.10 and corresponding tableau views
are shown in Figure 6.11. As with the propositional case, we include DeMorgan
rules to exchange negation with a quantifier. To apply the Forall rule we must
give a term t of the same type as the bound variable. Discovering the correct t to
use in a given proof often requires creativity. To apply the Exists rule we must
give a variable y of the same type as the bound variable. The only requirement
76 2008/7/14
6.5 Quantifiers
DeMorganA,∃x.¬s � ⊥
A � ⊥ ¬(∀x.s) ∈ A
DeMorganA,∀x.¬s � ⊥
A � ⊥ ¬(∃x.s) ∈ A ForallA, sxt � ⊥A � ⊥ ∀x.s ∈ A
ExistsA, sxy � ⊥A � ⊥ ∃x.s ∈ A, y ∉NA
Figure 6.10: Derivable refutation rules for quantifiers
DeMorgan¬∀x.s∃x.¬s DeMorgan
¬∃x.s∀x.¬s Forall
∀x.ssxt
Exists∃x.ssxy
where y is fresh
Figure 6.11: Tableau views for quantifier rules
is that y is not free in the conclusion sequent. Note that if the bound variable
x does not occur in the conclusion sequent then we can use x for y . For the
tableau view of the Exists rule in Figure 6.11 we simply say y is fresh to mean
y is not free in any formula on the branch. Again, if x is not free in any formula
on the branch, then we can simply use the same name x.
Combining these rules with the propositional rules will be enough to prove
any first-order sequent. We say a set A has a first-order refutation if A is first-
order and there is a refutation of A using only the rules in Figures 6.6, 6.7
and 6.10.
Unlike the propositional case, applying the rules will not terminate in general.
This is because the Forall rule can be applied infinitely many times (by choosing
different terms t). Consequently, the rules will not give a decision procedure.
Indeed, the set of provable first-order sequents is not decidable. However, we
will be able to argue completeness in a similar way as the propositional case.
Suppose we have a finite set of first-order formulas A for which there is no
first-order refutation. Applying the same procedure as in the proof of proposi-
tional completeness (Theorem 6.4.1) we can argue that either A is satisfiable or
2008/7/14 77
6 Tableau Proofs
some rule must apply. The instance of the rule must have a premiss for which
there is also no first-order refutation. Continuing this process we obtain a chain
of finite sets of formulas
A ⊂ C1 ⊂ · · · ⊂ Cn ⊂ · · · .
This time we will prove that the set⋃n Cn is satisfiable.
Before embarking on another completeness result we consider a few exam-
ples.
We first consider two small examples. Let α be a sort different from B and let
p : αB and x,a, b : α be names. We will give a tableau proof of
(pa∨ pb)→ ∃x.px
We first negate the statement (applying Contra) and then apply NegImp to obtain
¬((pa∨ pb)→ ∃x.px)pa∨ pb¬∃x.px
After applying DeMorgan we have ∀x.¬px on the branch and after applying Or
we have the following tableau:
¬((pa∨ pb)→ ∃x.px)pa∨ pb¬∃x.px∀x.¬pxpa pb
On the left branch we apply Forall with the term a and this branch is then closed.
On the right branch we apply Forall with the term b and then both branches are
closed. The final tableau is shown in Figure 6.12. The reader is encouraged to
consider other possible tableau proofs by reordering the application of the rules.
By a similar process we can construct a tableau proof of
(∀x.px) → (pa∧ pb)
such as the one shown in Figure 6.13.
Note that in both of these examples we have used the Forall rule, in spite of
the fact that the first example contained ∃ and the second example contained ∀.
We have not yet had an example using the Exists rule.
Consider the following simple example with a name r : ααB and names
x,y, z : α where α is a sort other than B:
(∃x.rxx) → ∃yz.ryz
78 2008/7/14
6.5 Quantifiers
¬((pa∨ pb)→ ∃x.px)pa∨ pb¬∃x.px∀x.¬pxpa¬pa
pb¬pb
Figure 6.12: Tableau example with ∃
¬((∀x.px) → pa∧ pb)∀x.px
¬(pa∧ pb)¬pa∨¬pb¬papa
¬pbpb
Figure 6.13: Tableau example with ∀
After negating this and applying NegImp we have the tableau
¬((∃x.rxx) → ∃yz.ryz)∃x.rxx¬∃yz.ryz
We can now apply Exists to ∃x.rxx with any name of type α that is not free in
the branch. Let us simply use x. This adds rxx to the branch. The idea now
is to apply DeMorgan and Forall to ¬∃yz.ryz until we obtain a contradiction.
Each time we apply the Forall rule we use the term x. In the end we obtain the
tableau shown in Figure 6.14 in which the single branch is closed.
We now turn to a larger example. Let α and β be sorts different from B, let
r : αβB, x : α and y : β be names of the given types. Consider the following
formula:
(∃y.∀x.rxy) → ∀x.∃y.rxy (6.2)
Is this formula valid? It may be helpful to translate the formula into everyday
language. Suppose α represents the students taking this class and β represents
various reading materials. Suppose rxy means student x reads y . The left side
of the implication
∃y.∀x.rxy
2008/7/14 79
6 Tableau Proofs
¬((∃x.rxx) → ∃yz.ryz)∃x.rxx¬∃yz.ryz
rxx∀y.¬∃z.ryz¬∃z.rxz∀z.¬rxz¬rxx
Figure 6.14: Tableau example using Exists
means there is some reading material y that every student x reads. This is, of
course, true, because all of you are reading these lecture notes. The right hand
side of the implication
∀x.∃y.rxymeans that every student x reads some material y . This is, of course, a weaker
statement. It only asserts that every students reads something, not that all stu-
dents are reading the same thing. The right hand side of the implication would
still be true even if some student x reads the newspaper but does not read these
lecture notes. This interpretation suggests that (6.2) is a valid statement, but
that the converse implication
(∀x.∃y.rxy) → ∃y.∀x.rxy (6.3)
is not valid.
We construct a tableau proof of (6.2) in a step by step fashion. We first negate
the statement (applying Contra) and then apply NegImp to obtain
¬((∃y.∀x.rxy) →∀x.∃y.rxy)∃y.∀x.rxy
¬(∀x.∃y.rxy)
According the only branch of this tableau, there is some y that every x reads
but it is not the case that every x reads some y . Since there is some reading
material y that every x reads, we can choose some name to stand for such
reading material. Let us use the name n : β (short for “lecture notes”). Applying
Exists with name n we extend the branch to obtain
¬((∃y.∀x.rxy) →∀x.∃y.rxy)∃y.∀x.rxy
¬(∀x.∃y.rxy)∀x.rxn
80 2008/7/14
6.5 Quantifiers
Now we apply DeMorgan to add ∃x.¬(∃y.rxy) to the branch indicating that
some student x does not read anything. We can apply Exists to this rule by
giving a name of type α. We use the name u : α (short for “unfortunate”) to
stand for this student. Following the use of Exists by DeMorgan we obtain
¬((∃y.∀x.rxy) →∀x.∃y.rxy)∃y.∀x.rxy
¬(∀x.∃y.rxy)∀x.rxn
∃x.¬(∃y.rxy)¬(∃y.ruy)∀y.¬ruy
After a careful look at this tableau, you should recognize that the two formulas
∀x.rxn and ∀y.¬ruy cannot both be true. If every student is reading the
lecture notes, then there cannot by an unfortunate student who reads nothing.
To make the conflict explicit we apply the Forall rule to ∀y.¬ruy with term nand obtain
¬((∃y.∀x.rxy) →∀x.∃y.rxy)∃y.∀x.rxy
¬(∀x.∃y.rxy)∀x.rxn
∃x.¬(∃y.rxy)¬(∃y.ruy)∀y.¬ruy¬run
We have now concluded that the unfortunate student is not reading the lecture
notes. But every student reads the lecture notes. To make this explicit we apply
Forall to ∀x.rxn with term u and obtain the tableau where the only branch is
now closed:¬((∃y.∀x.rxy) →∀x.∃y.rxy)
∃y.∀x.rxy¬(∀x.∃y.rxy)
∀x.rxn∃x.¬(∃y.rxy)¬(∃y.ruy)∀y.¬ruy¬runrun
We have given a first-order refutation of the negation of (6.2) and hence a
(tableau) proof of (6.2). In particular, (6.2) is valid.
2008/7/14 81
6 Tableau Proofs
It is worthwhile to consider the converse implication (6.3) as well. As we
have argued informally above, (6.3) is not valid. If we negate (6.3) and apply the
obvious rules we obtain a tableau
¬((∀x.∃y.rxy) → ∃y.∀x.rxy)∀x.∃y.rxy
¬(∃y.∀x.rxy)∀y.¬∀x.rxy
To make progress we must apply the Forall rule to either ∀x.∃y.rxy with some
term of type α or ∀y.¬∀x.rxy with some term of type β. There are no reason-
able terms of either type to use here. Suppose we apply the Forall rule to each
of the two using the names u : α (the unfortunate student) and n : β (the lecture
notes). After applying Forall twice and DeMorgan we obtain
¬((∀x.∃y.rxy) → ∃y.∀x.rxy)∀x.∃y.rxy
¬(∃y.∀x.rxy)∀y.¬∀x.rxy∃y.ruy¬∀x.rxn∃x.¬rxn
We may be tempted to apply Exists to ∃y.ruy using name n and ∃x.¬rxnusing name u. If we did this, then the branch would be closed. That would be
a disaster since we would have proven formula (6.3) which was not valid! What
prevents this disaster? Neither application of Exists would be legal since both
n and u occur in the branch. (Neither are fresh.) If we apply Exists using fresh
names n′ and u′, then we obtain
¬((∀x.∃y.rxy) → ∃y.∀x.rxy)∀x.∃y.rxy
¬(∃y.∀x.rxy)∀y.¬∀x.rxy∃y.ruy¬∀x.rxn∃x.¬rxnrun′
¬ru′n
which is not closed. Note that we could continue trying to build this tableau by
applying Forall to ∀x.∃y.rxy and ∀y.¬∀x.rxy with other terms (e.g., u′ and
n′). The attempt to close the branch can go on forever but the branch will never
close.
82 2008/7/14
6.5 Quantifiers
Now we turn to another example. Let N be a sort other than B and let s : NNBand x,y, z : N be names. We can think of sxy as meaning “x has successor y ,”
or “y is the successor of x.” We can express the idea that every element has a
successor with the formula
∀x.∃y.sxy.If we assume every element has a successor, then we should be able to prove
∀x.∃yz.sxy ∧ syz.We formulate the statement as the single formula
(∀x.∃y.sxy) → ∀x.∃yz.sxy ∧ syz.We construct a tableau proof of this. We first negate the statement (applying
Contra) and then apply NegImp and DeMorgan to obtain
¬((∀x.∃y.sxy) →∀x.∃yz.sxy ∧ syz)∀x.∃y.sxy
¬∀x.∃yz.sxy ∧ syz∃x.¬∃yz.sxy ∧ syz
We can apply Exists using the name x (since it does not occur free in the branch)
and include
¬∃yz.sxy ∧ syzon the branch. This new formula says there is no successor y of x which
has a successor z. We can obtain a successor of x using by applying Forall
to ∀x.∃y.sxy with the term x. When we do this we have
∃y.sxy
on the branch. Since y does not occur free on the branch we can apply Exists
with y and includesxy
on the branch. We now want to use this y . We do this by applying DeMorgan to
¬∃yz.sxy ∧ syz and then Forall to ∀y.¬∃z.sxy ∧ syz to obtain
¬((∀x.∃y.sxy) →∀x.∃yz.sxy ∧ syz)∀x.∃y.sxy
¬∀x.∃yz.sxy ∧ syz∃x.¬∃yz.sxy ∧ syz¬∃yz.sxy ∧ syz
∃y.sxysxy
∀y.¬∃z.sxy ∧ syz¬∃z.sxy ∧ syz
2008/7/14 83
6 Tableau Proofs
Since y is a successor of x we know
¬∃z.sxy ∧ syz
means there is no successor z of y . We also know we can obtain a successor of
anything using ∀x.∃y.sxy . We apply Forall to this formula with y . Note that
when we substitute, the bound y will be renamed to another variable y′ to avoid
capture. Hence we add∃y′.syy′
to the branch. We can now apply Exists with any variable of type N that does not
occur on the branch. We cannot use x or y . We can use y′ (unless y′ happens
to be x), but a reasonable choice in this context is z. We use z and add
syz
to the branch. We now apply DeMorgan to ¬∃z.sxy ∧ syz, then Forall with this
z, then DeMorgan and Or to obtain
¬((∀x.∃y.sxy) →∀x.∃yz.sxy ∧ syz)∀x.∃y.sxy
¬∀x.∃yz.sxy ∧ syz∃x.¬∃yz.sxy ∧ syz¬∃yz.sxy ∧ syz
∃y.sxysxy
∀y.¬∃z.sxy ∧ syz¬∃z.sxy ∧ syz∃y′.syy′
syz∀z.¬(sxy ∧ syz)¬(sxy ∧ syz)¬sxy ∨¬syz¬sxy ¬syz
Note that both branches are closed.
Figure 6.15 shows the tableau views of the refutation rules we have intro-
duced so far (except for Closed¬ = and ClosedSym). We will also refer to the
tableau views of such refutation rules as tableau rules.
6.6 Termination and Completeness with Restrictions
We define a restricted set of formulas. Let I be a sort other than B. There are
infinitely many names of type I. Let V and P be two disjoint, infinite sets of
84 2008/7/14
6.6 Termination and Completeness with Restrictions
Closeds,¬s
Closed⊥
Closed¬�
DNeg¬¬ss
DeMorgan¬(s ∨ t)¬s ∧¬t DeMorgan
¬(s ∧ t)¬s ∨¬t And
s ∧ ts, t
Ors ∨ ts t
Imps → tt ¬s NegImp
¬(s → t)s,¬t Boolean= s ≡ t
s, t ¬s,¬t
Boolean �= ¬(s ≡ t)s,¬t t,¬s DeMorgan
¬∀x.s∃x.¬s DeMorgan
¬∃x.s∀x.¬s
Forall∀x.ssxt
Exists∃x.ssxy
where y is fresh
Figure 6.15: Tableau rules so far
names of type I. In this section we will use the word variable to mean a member
of V and the word parameter to mean a member of P. Disjointness means
V ∩P = �. In words, a name cannot be both a variable and a parameter.
• We use x,y, z for variables.
• We use a, b, c for parameters. We fix one particular parameter a0 ∈ P which
we will use for a special purpose.
• We use w to range over V ∪P.
• For terms s we define
V s =N s ∩V (the variables free in s)
and for sets A of terms we define
VA =NA∩V (the variables free in A).
• For terms s we define
Ps =N s ∩P (the parameters free in s)
and for sets A of terms we define
PA =NA∩P (the parameters free in A).
2008/7/14 85
6 Tableau Proofs
Closeds,¬s
Ands ∧ ts, t
Ors ∨ ts t
Forall∀x.ssxa
where a ∈ P is a parameter on the branch or a0
Exists∃x.ssxa
where a ∈ P is fresh and there is no
b ∈ P such that sxb is on the branch.
Figure 6.16: Restricted tableau calculus TPLN
We define the set of PLN-formulas s by the grammar
pw · · ·w | ¬pw · · ·w | s ∨ s | s ∧ s | ∀x.s | ∃x.s
where p is a name of type I · · · IB. Notice that the bound names in PLN-formulas
are all variables (members of V ). Note also that each PLN-formula is a first-order
formula (see Section 5.7). Here we are most interested in closed PLN-formulas:
PLNc = {s|s is a PLN-formula and V s = �}.
Along with the restricted set of formulas we also define a restricted calculus.
The restricted tableau calculus TPLN is given by the rules in Figure 6.16.
Suppose A ⊆ PLNc is the finite set of closed PLN-formulas occurring on an
open branch of some tableau. If none of the TPLN-rules apply to the branch, then
the following Hintikka properties hold for A:
∇c For all formulas s, s ∉ A or ¬s ∉ A.
∇∨ If s ∨ t ∈ A, then s ∈ A or t ∈ A.
∇∧ If s ∧ t ∈ A, then s ∈ A and t ∈ A.
∇∀ If ∀x.s ∈ A, then sxa ∈ A for all a ∈ PA∪ {a0}.∇∃ If ∃x.s ∈ A, then sxa ∈ A for some a ∈ P.
For any set A ⊆ PLNc , if A satisfies these Hintikka properties, then A is satisfi-
able. We record this fact in the following model existence theorem.
Theorem 6.6.1 (Model Existence Theorem) Suppose A ⊆ PLNc and A satisfies
the Hintikka properties ∇c , ∇∨, ∇∧, ∇∀ and ∇∃. There is a logical interpretation
I such that I � s for all s ∈ A.
86 2008/7/14
6.6 Termination and Completeness with Restrictions
Proof We define I on types as follows:
IB = {0,1}II = PA∪ {a0}Iα = {�} for sorts α ∉ {B, I}
I(στ) = all functions from Iσ to Iτ .
For each type σ we define a default element dσ ∈ Iσ as follows:
dB = 0
dI = a0
dα = � for sorts α ∉ {B, I}dστ = the constant function (λx ∈ Iσ.dτ).
For each logical constant c : σ we choose Ic to be the unique element of Iσ with
the property corresponding to the constant. For each name a ∈ PA ∪ {a0} we
take
Ia = a.
For each name p : I · · · IB such that p ∈ NA, we define p ∈ I(I · · · IB) such
that for b1, . . . , bn ∈ II we have
(Ip)b1 · · ·bn ={
1 if (pb1 · · ·bn) ∈ A0 otherwise.
For every other name u : σ we take
Iu = dσ .
I is clearly a logical interpretation.
It remains to prove that I � s for every s ∈ A. Rephrased, we prove (by
induction on PLN-formulas) for every s ∈ PLN, if s ∈ A, then Is = 1. We consider
each case:
• Assume (pb1 · · ·bn) ∈ A. By definition I(pb1 · · ·bn) = 1.
• Assume (¬pb1 · · ·bn) ∈ A. By ∇c we know (pb1 · · ·bn) ∉ A. Hence
I(pb1 · · ·bn) = 0 and so I(¬pb1 · · ·bn) = 1.
• Assume (s1 ∨ s2) ∈ A. By ∇∨ we know s1 ∈ A or s2 ∈ A. By inductive
hypothesis either Is1 = 1 or Is2 = 1. Hence I(s1 ∨ s2) = 1.
• Assume (s1 ∧ s2) ∈ A. By ∇∧ we know s1 ∈ A and s2 ∈ A. By inductive
hypothesis Is1 = 1 and Is2 = 1. Hence I(s1 ∧ s2) = 1.
• Assume (∀x.s) ∈ A. By ∇∀ we know sxa ∈ A for all a ∈ PA ∪ {a0}. By
inductive hypothesis Isxa = 1 for all a ∈ II. Using Lemma 4.1.3 we knowˆIx,as = 1 for all a ∈ II. Hence I(∀x.s) = 1.
2008/7/14 87
6 Tableau Proofs
• Assume (∃x.s) ∈ A. By ∇∃ we know sxa ∈ A for some a ∈ P. By inductive
hypothesis Isxa = 1. Using Lemma 4.1.3 we know ˆIx,as = 1. Hence I(∃x.s) =1. �
Given any restricted tableau calculus T (e.g., TPLN) and set of formulas F(e.g., PLNc) there are two important issues we will consider: termination and
completeness.
1. Does T terminate on F? Informally, if we start with a finite set A ⊆ F , are
we guaranteed we cannot apply the rules T infinitely often?
2. Is T complete for F? That is, are there T -refutations for finite A ⊆ F when-
ever A is unsatisfiable?
We already have the notion of a terminating relation from Section 3.5. To
apply this notion here, we define a relationT→ on finite subsets of F by saying
A T→ A′ if there is a refutation step which is an instance of a rule from T where
A � ⊥ is the conclusion of the step and A′ � ⊥ is one of the premisses. Stated in
terms of tableaux, A T→ A′ if we can extend a branch with formulas A to a branch
with formulas A′ (possibly creating other branches as well) using a rule from T .
Note that if A T→ A′ then we know A is a proper subset of A′ (i.e., A ⊂ A′).Completeness means that we are guaranteed that if a finite set A ⊆ F is
unsatisfiable, then there is a refutation of A using the rules in T . Another way
to say “there is a refutation of A using the rules in T ” is to say that we can
construct a complete tableau using the rules of T starting from a single branch
containing only formulas from A. When we prove a completeness result, we
will actually prove the contrapositive. We will assume there is no refutation of
A using the rules of T and then construct a logical interpretation I satisfying
all the formulas in A. Now that we have the Model Existence Theorem above
(Theorem 6.6.1) we can prove completeness in an even simpler way (assuming
A ⊆ PLNc). Instead of constructing an interpretation of such an A, we need only
find a set H ⊆ PLNc such that A ⊆ H and H satisfies the Hintikka properties ∇c ,∇∨, ∇∧, ∇∀ and ∇∃.
Suppose we have a set F of formulas such that F ⊆ PLNc . Suppose further
that for any finiteA ⊆ F , ifA TPLN→ A′, thenA′ ⊆ F . (This condition certainly holds
for the set PLNc .) Then we have completeness whenever we have termination.
Theorem 6.6.2 (Termination implies Completeness) Let F be a set of formulas
such that F ⊆ PLNc . Suppose for any finite A ⊆ F , if A TPLN→ A′, then A′ ⊆ F . IfTPLN→ is terminating on F , then
TPLN→ is complete for F .
Proof Suppose A has no refutation using the TPLN-rules. Then there must be
some finite set H ⊆ PLNc such that A TPLN∗→ H, H is open (that is, there is no s
88 2008/7/14
6.6 Termination and Completeness with Restrictions
such that s ∈ H and ¬s ∈ H) and there is no A′ such that H TPLN→ A′. Informally,
H is an open branch such that none of the TPLN-rules applies to H. Since H is
open, ∇c holds for H. Since none of the TPLN-rules applies to H, the remaining
Hintikka conditions ∇∨, ∇∧, ∇∀ and ∇∃ all hold for H. By the Model Existence
Theorem (Theorem 6.6.1) there is a logical interpretation I such that I � s for all
s ∈ H. In particular, I � s for all s ∈ A. �
The restricted tableau calculusTPLN does not terminate on PLNc . Consider the
formula ∀x∃y.rxy . This is clearly in PLNc . We can easily apply the restricted
Forall and Exists rules forever as indicated:
∀x∃y.rxy∃y.ra0yra0a1
∃y.ra1yra1a2
∃y.ra2yra2a3
...
On the other hand, TPLN will terminate on some subsets of PLNc . For any
s, let Sub(s) be the set of subterms of s of type B. We will call these subterms
subformulas of s. For a set A of formulas, let Sub(A) be⋃s∈A Sub(s).
We will prove termination for (hence completeness of) the following three
subsets of PLNc relative to TPLN.
PLNno∃c = {s ∈ PLNc| there is no ∃y.t ∈ Sub(s)}
PLNcl∃c = {s ∈ PLNc| for every ∃y.t ∈ Sub(s) we have V (∃y.t) = �}PLN∃∗c = {s ∈ PLNc| for every ∃y.t ∈ Sub(s), x ∈ V (∃y.t), x is bound by an ∃}The phrase “x is bound by an ∃” is informal and possibly misleading. (Recall
that only λ can bind a variable.) When we speak of ∃ or ∀ binding a variable we
actually mean the relevant λ binder occurs as ∃(λx.[]) or ∀(λx.[]). We could
make the phrase “x is bound by an ∃” precise using contexts. The important fact
that we will use is the following: If ∀x.s ∈ PLN∃∗c , a ∈ P and ∃y.t ∈ Sub(sxa ),then ∃y.t ∈ Sub(∀x.s).
Clearly we have
PLNno∃c ⊆ PLNcl∃c ⊆ PLN∃∗c ⊆ PLNc.
It is enough to prove termination of PLN∃∗c , since termination will follow for the
smaller three. However, termination becomes more difficult to prove each time
we include more existential quantifiers.
2008/7/14 89
6 Tableau Proofs
For any set A of formulas we define Stock(A) to be the set
{θs| s ∈ Sub(A), θ : Nam → Ter,(∀x ∈ V (s).θ(x) ∈ P(A)∪ {a0}),(∀u ∈ Nam \ V (s).θ(u) = u)}
Note that if A is finite, then Sub(A) is finite, V (s) is finite for each s ∈ Sub(A),and P(A) ∪ {a0} is finite. Hence if A is finite, then Stock(A) is finite. For finite
A, we define Slack(A) to be the number of elements in Stock(A) \A. That is,
Slack(A) = |Stock(A) \A|.
To prove TPLN terminates on PLNno∃c it suffices to prove that if A TPLN→ A′, then
Slack(A) > Slack(A′). Suppose A TPLN→ A′. We consider four cases:
• Assume we applied And with s1 ∧ s2 ∈ A. Here A′ = A ∪ {s1, s2}. Note that
Sub(A) = Sub(A′) and so Stock(A) = Stock(A′). Thus Slack(A) > Slack(A′).
• Assume we applied Or with s1∨s2 ∈ A. Here A′ = A∪{s1} or A′ = A∪{s2}. In
either case Sub(A) = Sub(A′) and so Stock(A) = Stock(A′). Thus Slack(A) >Slack(A′).
• Assume we applied Forall with ∀x.s ∈ A. Here A′ = A∪ {sxa }. In this case we
do not know Sub(A) = Sub(A′). However, we can still conclude Stock(A) =Stock(A′). To see this, note that the only new subformulas in Sub(A′) are of
the form txa where t ∈ Sub(A). Any θ(txa ) ∈ Stock(A′) was already of the
form θ′t ∈ Stock(A) with θ′ = θ[x := a].• Assume we applied Exists. This is impossible because we cannot have ∃x.s ∈A ⊆ PLNno∃c .
Therefore, TPLN terminates on PLNno∃c .
Let us next consider termination of TPLN on PLNcl∃c . If A TPLN→ A′ using any
rule except Exists, then Slack(A) > Slack(A′). The proof of this fact proceeds
in the same way as above. On the other hand, the Exists rule introduces a fresh
parameter. In this case Stock(A′) may be much larger than Stock(A). Hence
Slack(A′) may be much bigger than Slack(A) after applying Exists.
We can still make use of Slack(A) to justify termination by making it part of a
lexical ordering on two natural numbers. The lexical ordering on pairs of natural
numbers is defined by
(i1, j1) > (i2, j2) iff either i1 > i2 or both i1 = i2 and j1 > j2
Note that if we know i1 > i2, then we clearly have (i1, j1) > (i2, j2). Also if we
know i1 ≥ i2 and j1 > j2, then we have (i1, j1) > (i2, j2). Slack(A) will play the
role of the j in our termination argument. We need only find a value to play the
90 2008/7/14
6.6 Termination and Completeness with Restrictions
role of the i. This value must decrease when we apply Exists and not increase
when we apply the other rules. For any A we define the set ∃(A) to be
{∃x.s ∈ Sub(A)|∀a ∈ P.sxa ∉ A}.
We can take |∃(A)| (the number of elements in ∃(A)) to play the role of i. Clearly
if A TPLN→ A′ via the Exists rule, then |∃(A)| > |∃(A′)|. It is also easy to check that
if A TPLN→ A′ via the And or Or rule, then |∃(A)| ≥ |∃(A′)|. Suppose A TPLN→ A′ via
the Forall rule with ∀x.s ∈ A. Here A′ is of the form A, sxa . In principle we may
have introduced a new ∃y.txa ∈ Sub(A′). However, since ∀x.s ∈ A ⊆ PLNcl∃c ,
we know V (∃y.t) = �. Hence ∃y.txa is the same as ∃y.t which was already in
Sub(A′). We conclude that |∃(A)| ≥ |∃(A′)| in this case as well.
We have now proven that whenever A TPLN→ A′ one of two things happen:
1. |∃(A)| > |∃(A′)|, or
2. |∃(A)| ≥ |∃(A′)| and Slack(A) > Slack(A′).
Using the lexical ordering we conclude thatTPLN→ terminates on PLNcl∃c .
We leave the proof of termination ofTPLN→ on PLN∃∗c as an exercise. A similar
argument with a lexical ordering will work in this case as well.
Exercise 6.6.3 (Termination of TPLN on PLN∃∗c )
a) Define a natural number Power∃(A) for finite sets A ⊆ PLN∃∗c making use of
the set ∃(A).b) Prove that if A TPLN→ A′ via the Exists rule, then
Power∃(A) > Power∃(A′)
c) Prove that if A TPLN→ A′ via the And or Or rule, then
Power∃(A) ≥ Power∃(A′)
d) Prove that if A TPLN→ A′ via the Forall rule, then
Power∃(A) ≥ Power∃(A′)
e) Conclude thatTPLN→ terminates on PLN∃∗c .
We now know termination and completeness for each of the fragments
PLNno∃c , PLNcl∃c and PLN∃∗c . We also know TPLN does not terminate on PLNc .
The only question remaining is whether TPLN is complete for PLNc . The answer
is yes and we will spend the rest of this section proving this completeness result.
The information is summarized in Table 6.1.
We say a set C of sets of formulas is a consistency class if it satisfies the
following five properties:
2008/7/14 91
6 Tableau Proofs
TPLN terminates? complete?
PLNno∃c Yes Yes
PLNcl∃c Yes Yes
PLN∃∗c Yes Yes
PLNc No Yes
Table 6.1: Termination and completeness results for TPLN
δc If A ∈ C, then s ∉ A or ¬s ∉ A.
δ∧ If A ∈ C and s1 ∧ s2 ∈ A, then A, s1, s2 ∈ C.
δ∨ If A ∈ C and s1 ∨ s2 ∈ A, then A, s1 ∈ C or A, s2 ∈ C.
δ∀ If A ∈ C and ∀x.s ∈ A, then A, sxa ∈ C for all a ∈ P(A)∪ {a0}.δ∃ If A ∈ C and ∃x.s ∈ A, then A, sxa ∈ C for some a ∈ P.
We say C is subset closed if A ∈ C whenever A ⊆ A′ and A′ ∈ C.
Lemma 6.6.4 (Extension Lemma) Let C be a subset closed consistency class. For
any A ∈ C with A ⊆ PLNc there is a set H ⊆ PLNc such that A ⊆ H and H satisfies
the Hintikka properties ∇c , ∇∨, ∇∧, ∇∀ and ∇∃.
Proof Suppose A ∈ C and A ⊆ PLNc . Enumerate all formulas in PLNc :
t0, t1, t2, t3, . . .
Let A0 = A ∈ C. For each n we define An+1 ∈ C as follows:
1. If An, tn ∉ C, then let An+1 = An.
2. If An, tn ∈ C and tn is not of the form ∃x.s, then let An+1 = An, tn.
3. If An, tn ∈ C and tn is ∃x.s, then by δ∃ there is some a ∈ P such that
An, tn, sxa ∈ C. In this case, let An+1 = An, tn, sxa .
We have ensured that An ∈ C and An ⊆ PLNc for each n and that we have the
inclusions
A0 ⊆ A1 ⊆ A2 ⊆ · · · ⊆ An ⊆ · · ·
Let H = ⋃n An ⊆ PLNc . Clearly A ⊆ H. We now easily verify that H satisfies the
Hintikka properties ∇c , ∇∨, ∇∧, ∇∀ and ∇∃.
∇c Suppose s,¬s ∈ H. There must be some n such that s,¬s ∈ An contradicting
An ∈ C and δc .
∇∨ Suppose s1 ∨ s2 ∈ H. There exist n,m such that s1 = tn and s2 = tm.
Let r > max(n,m) be big enough that tn ∨ tm ∈ Ar . We can visualize the
situtation as follows:
92 2008/7/14
6.6 Termination and Completeness with Restrictions
�An�
tn (s1)
Am�
tm (s2) tn ∨ tm∈Ar
By δ∨ either Ar , tn ∈ C or Ar , tm ∈ C. By subset closure either An, tn ∈ C or
Am, tm ∈ C. Thus tn ∈ An+1 ⊆ H or tm ∈ Am+1 ⊆ H.
∇∧ Suppose tn ∧ tm ∈ H. Let r > max(n,m) be such that tn ∧ tm ∈ Ar . By δ∧we know Ar , tn, tm ∈ C. By subset closure An, tn ∈ C and Am, tm ∈ C. Hence
tn ∈ H and tm ∈ H.
∇∀ Suppose ∀x.s ∈ H and a ∈ P(H)∪{a0}. There is some n such that tn = sxa .
Let r > n be big enough that ∀x.s ∈ Ar and a ∈ P(Ar) ∪ {a0}. By δ∀ we
know Ar , sxa ∈ C. By subset closure An, tn ∈ C. We conclude that tn ∈ H.
That is, sxa ∈ H.
∇∃ Suppose ∃x.s ∈ H. There is some n such that tn = ∃x.s. Let r > n be big
enough that ∃x.s ∈ Ar . By subset closure An, tn ∈ C. By definition of An+1
there is a parameter a ∈ P such that sxa ∈ An+1 ⊆ H. �
Any consistency class can be extended to a subset closed consistency class.
We leave this as an exercise.
Exercise 6.6.5 (Subset Closure) Let C be a consistency class. Define
C+ = {A|∃A′ ∈ C.A ⊆ A′}.
Prove C+ is a subset closed consistency class.
The set CPLN of all A that cannot be refuted using TPLN form a consistency
class. We define CPLN to be such that A ∈ CPLN iff A is a finite set with A ⊆ PLNcsuch that there is no refutation A � ⊥ using TPLN-rules. In terms of tableaux
A ∈ CPLN if it is not possible to construct a complete tableau starting with a
single branch with formulas from A. We leave the verification that CPLN is a
consistency class as an exercise.
Exercise 6.6.6 Prove CPLN is a consistency class.
Using the exercise above we have a subset closed consistency class C+PLN such
that CPLN ⊆ C+PLN. We can now prove completeness.
Theorem 6.6.7 (Completeness) TPLN is complete for PLNc .
Proof Suppose there is no TPLN-refutation of A. Then A ∈ CPLN ⊆ C+PLN. By
Lemma 6.6.4 there is a set H ⊆ PLNc with A ⊆ H such that H satisfies the
Hintikka properties ∇c , ∇∨, ∇∧, ∇∀ and ∇∃. By the Model Existence Theorem
(Theorem 6.6.1) there is a logical interpretation I such that I � s for all s ∈ H.
In particular, I � s for all s ∈ A. �
2008/7/14 93
6 Tableau Proofs
6.7 Cantor’s Theorem
Cantor’s Theorem states that a set X is always smaller than its power set ℘(X).The powerset ℘(X) is the set of all subsets of X.
How can we express the idea that X is smaller than another set Y ? Clearly
X and Y are the same size if we can find a bijective function from X to Y . This
would mean the elements of X and Y are in one-to-one correspondence with each
other. There are two ways there could fail to be a bijection from X to Y . Either Ydoes not have enough elements and so any function g : X → Y must eventually
start repeating values in Y (i.e., g will not be an injection) or Y has too many
elements and any function g : X → Y must miss some elements of Y . We can
express the idea that X is smaller than Y by saying there is no surjection from Xto Y .
How can we express the idea that there is no surjection from X to Y in the
language? If we have types σ, τ such that Iσ = X and Iτ = Y , then we can write
¬∃g.∀v.∃u.gu = v
where g is a name of type στ , v is a name of type τ and u is a name of type σ .
For Cantor’s Theorem, if Iσ = X, then I(σB) is isomorphic to the power set
℘(X). Therefore, Cantor’s Theorem is equivalent to saying there is no surjection
from Iσ onto I(σB). This motivates the following version of Cantor’s Theorem
(for each type σ ):
¬∃g.∀f .∃u.gu = fwhere g is a name of type σσB, f is a name of type σB and u is a name of type
σ . That is, there is no surjection from σ onto σB.
Informally, we can prove Cantor’s Theorem as follows. Assume there is a
surjection G : X → ℘(X). Consider the set
D = {a ∈ X|a ∉ (Ga)}.
Since D ∈ ℘(X) and G is surjective, there must be some d ∈ X such that G(d) =D. Is d ∈ D? If d ∈ D, then d ∈ G(d) and so d ∉ D (by the definition of D). On
the other hand, if d ∉ D, then d ∉ G(d) and so d ∈ D (by the definition of D).
That is, d ∈ D iff d ∉ D. This is clearly impossible. Therefore, no such surjection
G can exist.
Can we prove this using the tableau rules introduced so far? We can start
forming a tableau for Cantor’s theorem by writing the negation of the theorem,
then applying DNeg and Exists.
¬¬∃g.∀f .∃u.gu = f∃g.∀f .∃u.gu = f∀f .∃u.gu = f
94 2008/7/14
6.7 Cantor’s Theorem
¬¬∃g.∀f .∃u.gu = f∃g.∀f .∃u.gu = f∀f .∃u.gu = f
∃u.gu = λx.¬gxxgd = λx.¬gxx
Figure 6.17: Partial tableau proof for Cantor
The next apparent step is to use Forall with a term of type σB. What is
a reasonable term to use? The key step in proving the set theory version of
Cantor’s Theorem was introducing the set
D = {a ∈ X|a ∉ (ga)}.
In the current context, we would have a ∈ Iσ , g ∈ I(σσB), and ga ∈ I(σB). Let
us use g both as a name of type σσB and its intepretation Ig for the moment.
Instead of writing a ∉ (ga), we need to write ¬(gaa). Also, instead of forming
a set, we form a function in I(σB). The relevant function is the interpretation of
λx.¬gxx.
We apply Forall with this term to add
∃u.gu = λx.¬gxx
to the branch. We can now apply Exists with a name d of type σ to add
gd = λx.¬gxx
to the branch.
Using the tableau rules given so far, we have formed the tableau shown in
Figure 6.17. Is there any way to make progress? No. We need new rules to make
progress.
The first rule is Functional= which will allow us to treat a functional equation
f =στ g as ∀x.fx =τ gx. Another rule Functional �= will allow us to treat
functional disequation f �=στ g as ∃x.fx �=τ gx. These are shown in Figure 6.18.
We can make progress by applying Functional= with some term t to add
gdt =B (λx.¬gxx)t
to the branch. Recall that in the proof of Cantor’s Theorem we asked whether
d ∈ D. In the current context, this corresponds to asking whether or not
(λx.¬gxx)d
2008/7/14 95
6 Tableau Proofs
Functional= s =στ ust = ut for any term t of type σ
Functional �= s �=στ usa �= ua where a is a fresh name of type σ
Figure 6.18: Rules for equality at function types
¬¬∃g.∀f .∃u.gu = f∃g.∀f .∃u.gu = f∀f .∃u.gu = f
∃u.gu = λx.¬gxxgd = λx.¬gxx
gdd = (λx.¬gxx)dgdd
(λx.¬gxx)d¬gdd
¬(λx.¬gxx)d
Figure 6.19: Second partial tableau proof for Cantor
Lambdass′
where s ∼λ s′
Figure 6.20: Lambda tableau rule
is true. This motivates applying Functional= with the term d to add
gdd =B (λx.¬gxx)d
to the branch. Since we have an equation at type B, we can apply Boolean= and
split the branches into two branches giving the tableau in Figure 6.19.
Neither of the two branches is closed, but both of the branches would be
closed if we could simply β-reduce (λx.¬gxx)d to be ¬gdd. This motivates
adding the Lambda rule shown in Figure 6.20.
Using the Lambda rule we can close the two branches and we have the tableau
proof for Cantor’s Theorem shown in Figure 6.21.
96 2008/7/14
6.7 Cantor’s Theorem
¬¬∃g.∀f .∃u.gu = f∃g.∀f .∃u.gu = f∀f .∃u.gu = f
∃u.gu = λx.¬gxxgd = λx.¬gxx
gdd = (λx.¬gxx)dgdd
(λx.¬gxx)d¬gdd
¬gdd¬(λx.¬gxx)d
¬¬gdd
Figure 6.21: Tableau proof for Cantor
6.7.1 Russell’s Law/Turing’s Law
How would you answer the following questions?
1. On a small island, can there be a barber who shaves everyone who doesn’t
shave himself?
2. Does there exist a Turing machine that halts on the representation of a Turing
machine x if and only if x does not halt on the representation of x?
3. Does there exist a set that contains a set x as element if and only if x ∉ x?
The answer to all 3 questions is no, and the reason is purely logical. It is the
same idea underlying the proof of Cantor’s theorem.
Russell’s or Turing’s Law: Let f : IIB be a name and x,y : I be names. We
can prove ¬∃f .∃x.∀y.fxy ≡ ¬fyy .
¬¬(∃f .∃x.∀y.fxy ≡ ¬fyy)∃f .∃x.∀y.fxy ≡ ¬fyy∃x.∀y.fxy ≡ ¬fyy∀y.fxy ≡ ¬fyyfxx ≡ ¬fxxfxx¬fxx
¬fxx¬¬fxx
6.7.2 More about the Lambda rule
Adding the Lambda rule opens many new possibilities. A very simple example
we can now prove ∃f .∀x.fx = x where f : II is a name and x : I is name. The
2008/7/14 97
6 Tableau Proofs
following tableau proves this formula:
¬∃f .∀x.fx = x∀f .¬∀x.fx = x¬∀x.(λx.x)x = x
¬∀x.x = x∃x.x �= xx �= x
6.8 Equality
We are still missing a few rules. In particular we need rewriting rules so that we
can use equations to replace subterms. Suppose we are attempting to refute
A = {a = b, b = c, a �= c}
where a, b, c are names of the same sort α �= B. At the moment no rule can be
applied to extend the tableau
a = bb = ca �= c
We remedy this gap by adding the two tableau rules in Figure 6.22 for rewriting.
For convenience we allow these rules to be applied when the equation is preceded
by a list of universal quantifiers, and we allow the variables to be instantiated
before the replacement is made. Using the rewriting rules it is easy to complete
the tableau above in several different ways:
1. We could use Apply= on a = b and a �= c with context [] �= c to add b �= c to
the branch.
2. We could use Apply= on b = c and a �= c with context a �= [] to add a �= b to
the branch.
3. We could use Apply= on a = b and b = c with context [] = c to add a �= c to
the branch.
4. We could use Apply= on b = c and a = b with context a = [] to add a �= c to
the branch.
Any of these applications will close the branch.
To see an easy example in which we instantiate quantified variables, consider
the formula
(∀xy.fxy = gxy) → fy = gy
98 2008/7/14
6.9 Excluded Middle as a Rule
Apply= ∀xn.s = t, C[θs]C[θt]
Apply= ∀xn.s = t, C[θt]C[θs]
where for both versions of the rule θ y = y if y ∉ xn
and C[] is admissible for {∀xn.s = t}
Figure 6.22: Tableau rewriting rules
where x,y : I are names and f , g : III are names. A complete tableau for this is
given by¬(∀xy.fxy = gxy) → fy = gy
(∀xy.fxy = gxy)fy �= gy
(λz.fyz) �= λz.gyz(λz.fyz) �= λz.fyz
Note that in one step we used Lambda to η-expand¬fy = gy into ¬(λz.fyz) =λz.gyz. In another step we have used Apply= with context (λz.fyz) �= λz.[]and θ such that θ(x) = y and θ(y) = z.
6.9 Excluded Middle as a Rule
Suppose we are trying to refute the set
A = {pa,¬pb,a, b}
where p : BB is a name and a, b : B are names. Is this set satisfiable? No, it is
not. We are forced to interpret a and b such that Ia = 1 = Ib. This means I(pa)must equal I(pb). On the other hand, none of the tableau rules given so far can
be applied topa¬pbab
We can remedy this problem by adding the refutation rules (both called XM) in
Figure 6.23. The corresponding tableau views are shown in Figure 6.24.
The XM rule allows us to introduce an arbitrary disjunction of the form s∨¬sor ¬s∨s onto a branch. Combining this with the Or rule, we can split any branch
2008/7/14 99
6 Tableau Proofs
XMA, s ∨¬s � ⊥
A � ⊥ XMA,¬s ∨ s � ⊥
A � ⊥
Figure 6.23: Extra refutation rules
XMs ∨¬s XM ¬s ∨ s
Figure 6.24: Tableau views of extra refutation rules
into two branches where in one branch we know s holds and in the other we
know ¬s holds. Often this is useful if we know s must be true on the branch (so
that the branch with ¬s will be easy to close) and we believe s will be useful.
Using the XM rule, we can obtain the following complete tableau refuting the
set A above.pa¬pbab
a = b ∨ a �= b
a = bpb
a �= ba¬b
b¬a
On the left branch we have used Apply= and on the right branch we have used
Boolean �= to split into two (closed) branches.
Note that this rule is fundamentally different from the tableau rules we have
shown so far. The new formula s∨¬s need not have any relationship to a formula
already on the branch.
6.10 Examples
6.10.1 Expressing Universal Quantification in terms of Existential
We know we can express the universal quantifier in terms of the existential quan-
tifier using De Morgan’s law. Let all be λf .¬∃x.¬fx. We can easily prove
∀f .allf = ∀x.fx
100 2008/7/14
6.10 Examples
as a tableau. (Note that the steps where we expand the definition of all are
actually applications of Lambda.)
¬∀f .allf = ∀x.fx∃f .allf �= ∀x.fx
allf �= ∀x.fx
allf¬∀x.fx∃x.¬fx¬∃x.¬fx
∀x.fx¬allf
¬¬∃x.¬fx∃x.¬fx¬fxfx
6.10.2 Expressing Equality using Higher-Order Quantifiers
We have seen that equality can be expressed using Leibniz’ Law:
λxy.∀f .fx → fy
Here we assume x,y : σ and f : σB are variables. We can use the same idea to
express disequality. Let neq be λxy.∃f .fx ∧¬fy . We can easily prove
∀xy.neqxy ≡ x �= y
with the following tableau.
¬∀xy.neqxy ≡ x �= y)∃x.¬∀y.neqxy ≡ x �= y¬∀y.neqxy ≡ x �= y)∃y.¬(neqxy ≡ x �= y)¬(neqxy ≡ x �= y)
neqxy¬x �= yx = y
∃f .fx ∧¬fyfx ∧¬fy
fx¬fy¬fx
x �= y¬neqxy
¬∃f .fx ∧¬fy∀f .¬(fx ∧¬fy)
¬((λy.x = y)x ∧¬(λy.x = y)y)¬(x = x ∧ x �= y)x �= x ∨¬x �= yx �= x ¬x �= y
We can also express equality as the least reflexive relation. Let eq be
λxy.∀r .(∀z.rzz) → rxy where r : σσB is a variable. We prove
∀xy.eqxy = (x = y)
2008/7/14 101
6 Tableau Proofs
with a tableau.
¬∀xy.eqxy = (x = y)∃x.¬∀y.eqxy = (x = y)¬∀y.eqxy = (x = y)∃y.eqxy �= (x = y)
eqxy �= (x = y)
eqxyx �= y
∀r .(∀z.rzz)→ rxy(∀z.(λxy.x = y)zz) → (λxy.x = y)xy
(∀z.z = z)→ x = y
x = y¬∀z.z = z∃z.z �= zz �= z
x = y¬eqxy
¬∀r .(∀z.rzz) → rxy∃r .¬((∀z.rzz) → rxy)¬((∀z.rzz) → rxy)
∀z.rzz¬rxyrxx¬rxx
6.10.3 Solving Easy Equations
Sometimes existential theorems can be proven by taking the body as giving a
definition. It is important to recognize when theorems are this easy to prove!
Here are two examples:
We can think of the type σB as the type of sets of elements of type σ . The
membership relation should have type σ(σB)B in this context. Let in : σ(σB)B,
x : σ and f : σB be variables. We can prove the existential theorem
∃in.∀xf .inxf = fx
by using the term
λxf .fx
when we apply the Forall rule to the quantifier binding in in the following tableau.
¬∃in.∀xf .inxf = fx∀in.¬∀xf .inxf = fx
¬∀xf .(λxf .fx)xf = fx¬∀xf .fx = fx∃x.¬∀f .fx = fx¬∀f .fx = fx∃f .fx �= fxfx �= fx
102 2008/7/14
6.10 Examples
We can similarly prove the existence of a set difference function. Let diff :
(σB)(σB)σB, f , g : σB and x : σ be variables. We prove
∃diff : (XB)(XB)XB.∀fgx.difffgx = (fx ∧¬gx)
with the following tableau.
¬∃diff.∀fgx.difffgx = (fx ∧¬gx)∀diff.¬∀fgx.difffgx = (fx ∧¬gx)
¬∀fgx.(λfgx.fx ∧¬gx)fgx = (fx ∧¬gx)¬∀fgx.(fx ∧¬gx) = (fx ∧¬gx)∃f .¬∀gx.(fx ∧¬gx) = (fx ∧¬gx)¬∀gx.(fx ∧¬gx) = (fx ∧¬gx)∃g.¬∀x.(fx ∧¬gx) = (fx ∧¬gx)¬∀x.(fx ∧¬gx) = (fx ∧¬gx)∃x.(fx ∧¬gx) �= (fx ∧¬gx)(fx ∧¬gx) �= (fx ∧¬gx)
6.10.4 Expressing Conjunction with → and ⊥
Let x,y : B be variables. Let neg : BB be λx.x → ⊥. Let and : BBB be
λxy.neg(x → negy). We prove ∀xy.andxy = (x ∧y).
¬∀xy.andxy = (x ∧ y)∃x.¬∀y.andxy = (x ∧ y)¬∀y.andxy = (x ∧ y)∃y.andxy �= (x ∧y)
andxy �= (x ∧y)andxy¬(x ∧y)¬x ∨¬y
neg(x → negy)(x → negy) → ⊥
⊥
¬(x → negy)x
¬negy
¬x
¬y¬(y → ⊥)
y¬⊥
x ∧y¬andxy
xy
¬neg(x → negy)¬((x → negy) → ⊥)
x → negy¬⊥
negyy → ⊥⊥ ¬y
¬x
2008/7/14 103
6 Tableau Proofs
6.10.5 Expressing Conjunction with Higher-Order Quantification
Let x,y : B and g : BBB be variables. Let and : BBB be λxy.∀g.gxy = g��.
We will prove ∀xy.andxy = (x ∧ y). Proving this with one big tableau is
possible, but let’s split it into two lemmas.
First we prove ∀xy.andxy → x ∧y .
¬∀xy.andxy → x ∧ y∃x.¬∀y.andxy → x ∧ y¬∀y.andxy → x ∧y∃y.¬(andxy → x ∧y)¬(andxy → x ∧ y)
andxy¬(x ∧y)¬x ∨¬y
∀g.gxy = g��(λxy.x ∧y)xy = (λxy.x ∧y)��
(x ∧y) = (�∧�)
x ∧y�∧�
¬(x ∧y)¬(�∧�)¬�∨¬�¬� ¬�
104 2008/7/14
6.10 Examples
Next we prove ∀xy.x ∧ y → andxy .
¬∀xy.x ∧y → andxy∃x.¬∀y.x ∧y → andxy¬∀y.x ∧y → andxy∃y.¬(x ∧y → andxy)¬(x ∧y → andxy)
x ∧y¬andxy
¬∀g.gxy = g��∃g.gxy �= g��gxy �= g��
xy
x = �∨ x �= �x = �
g�y �= g��y = �∨y �= �
y = �g�� �= g��
y �= �y¬�
�¬y
x �= �x¬�
�¬x
Finally we prove ∀xy.andxy = (x ∧y) using these two lemmas.
¬∀xy.andxy = (x ∧ y)∀xy.andxy → x ∧y∀xy.x ∧ y → andxy
∃x.¬∀y.andxy = (x ∧ y)¬∀y.andxy = (x ∧ y)∃y.andxy �= (x ∧y)
andxy �= (x ∧y)andxy¬(x ∧y)
∀y.andxy → x ∧yandxy → x ∧ yx ∧y ¬andxy
x ∧y¬andxy
∀y.x ∧y → andxyx ∧ y → andxy
andxy ¬(x ∧y)
6.10.6 Kaminski Equation
Let f : BB and x : B be names. We can prove the following equation
f(f(fx)) = fx
2008/7/14 105
6 Tableau Proofs
which we call the Kaminski Equation. A special case of the Kaminski Equation is
f(f(f⊥)) = f⊥
This can be proven by considering whether certain subterms are equal to � or ⊥.
For instance, what if f⊥ = ⊥? In this case we clearly have f(f(f⊥)) = ⊥ = f⊥.
What if f⊥ = �? In this case we have f(f(f⊥)) = f(f�), but does f(f�) = �?
A further case analysis on the value of f� (assuming f⊥ = �) can be used to
prove f(f�) = �, verifying the equation.
Many proofs of the Kaminski Equation are possible.
Exercise 6.10.1 Prove the Kaminski Equation informally and then give a tableau
proof based on your informal proof.
6.10.7 Choice
If C is a choice function at σ , then C(λy.x = y) = x for all x of type σ .
∀p.(∃x.px) → p(Cp)¬∀x.C(λy.x = y) = x∃x.C(λy.x = y) �= xC(λy.x = y) �= x
(∃z.(λy.x = y)z) → (λy.x = y)(Cλy.x = y)(∃z.x = z)→ x = Cλy.x = y
x = Cλy.x = y¬∃z.x = z∀z.x �= zx �= x
If we assume C is a choice function at type τ , then we can prove the Skolem
principle
((∀x.∃y.rxy) → ∃f .∀x.rx(fx))
where r has type στB.
106 2008/7/14
6.10 Examples
∀p.(∃x.px) → p(Cp)¬((∀x.∃y.rxy) → ∃f .∀x.rx(fx))
∀x.∃y.rxy¬∃f .∀x.rx(fx)∀f .¬∀x.rx(fx)
¬∀x.rx((λx.C(rx))x)¬∀x.rx(C(rx))∃x.¬rx(C(rx))¬rx(C(rx))
(∃z.rxz)→ rx(C(rx))
rx(C(rx))¬∃z.rxz∃y.rxy∃z.rxz
If we have the Skolem principle
((∀x.∃y.rxy) → ∃f .∀x.rx(fx))where r has type (σB)σB, then we can prove the existence of a choice function
at type σ . We first prove the following lemma:
∀p.∃y.(∃y.py) → py
¬∀p.∃y.(∃y.py) → py∃p.¬∃y.(∃y.py) → py¬∃y.(∃y.py) → py∀y.¬((∃y.py) → py)¬((∃y.py) → pz)
∃y.py¬pzpy
¬((∃y.py) → py)∃y.py¬py
Now we use the lemma to prove the main result.
∀p.∃y.(∃y.py) → py¬∃C.∀p.(∃y.py) → p(Cp)
∀r .(∀x.∃y.rxy) → ∃f .∀x.rx(fx)(∀x.∃y.(λxy.(∃y.xy) → xy)xy) → ∃f .∀x.(λxy.(∃y.xy) → xy)x(fx)
(∀x.∃y.(∃y.xy) → xy) → ∃f .∀x.(∃y.xy) → x(fx)∃f .∀x.(∃y.xy) → x(fx)∃C.∀p.(∃y.py) → p(Cp)
¬∀x.∃y.(∃y.xy) → xy¬∀p.∃y.(∃y.py) → py
2008/7/14 107
6 Tableau Proofs
Note that the last step on each branch is an application of Lambda to α-convert
the next to the last formula on the branch.
108 2008/7/14
7 A Taste of Set Theory
Earlier we saw how to specify the natural numbers by giving a sort N , names
such as O : N and S : NN , and formulas to ensure that the interpretation that
the sort and names have the intended interpretation. We can repeat a similar
process for sets.
We still assume the same situation as the last section. We have the sort I and
the disjoint infinite sets V and P of names of sort I.Let us suppose I is a logical interpretation and II some a collection of sets.
Let us use X,Y , Z,A, B, C,D, a, b, c,d to range over sets in II.The basic relation of set theory is membership. Assume we have a name
∈: IIB which we write in infix notation. We write s ∈ t for the term ∈ st. We will
also write s ∉ t as notation for the term ¬(∈ st). Assume ∈ and ∉ have the same
priority as the infix operator =.
Another important relation in set theory is the subset relation. Assume we
have a term ⊆: IIB which we also write in infix notation. Assume ⊆ also has
the same priority as the infix operator =. We can express subset in terms of
membership as follows:
∀xy.x ⊆ y ≡ ∀z.z ∈ x → z ∈ yWe can also write this as the closed PLN-formula
∀xy.(¬x ⊆ y ∨∀z.¬z ∈ x ∨ z ∈ y)∧ (x ⊆ y ∨ ∃z.z ∈ x ∧¬z ∈ y)though this is more difficult to read. From now on we will not restrict ourselves
to PLN-formulas, but will make the point when formulas can be expanded into
equivalent PLN-formulas. At this point, we could take ⊆: IIB to be a name and
assume
∀xy.x ⊆ y ≡ ∀z.z ∈ x → z ∈ yas an axiom. Since we are not restricting ourselves to PLN-formulas, it also makes
sense to define ⊆: IIB to simply be notation for the term
λxy.∀z.z ∈ x → z ∈ y.We take this option.
Which sets would we like to ensure are in II? The first set we consider is the
empty set, denoted �. The empty set has no elements. How can we ensure the
empty set is in II? In fact we can do this with a simple PLN-formula:
109
7 A Taste of Set Theory
• Empty Set Exists: ∃y.∀z.z ∉ y .
Next, any time we have a set X ∈ II we can form the power set of X, denoted
℘(X). The power set of X contains exactly the subsets of X. That is, Y ∈ ℘(X) if
and only if Y ⊆ X. We can ensure the existence of power sets as follows:
• Power Sets Exist: ∀x.∃y.∀z.z ∈ y ≡ z ⊆ x.
This is not a PLN-formula, but could be easily expanded into one.
We are now assured II contains at least �, ℘(�), ℘(℘(�)), ℘(℘(℘(�))), etc. Let
us think about these sets. How many subsets of � are there? Clearly, there is
only one: �. Hence
℘(�) = {�}.Now how many subsets of {�} are there? There are two: � and {�}, so
℘(℘(�)) = {�, {�}}.
Now how many subsets of {�, {�}} are there? There are four:
℘(℘(℘(�))) = {�, {�}, {{�}}, {�, {�}}}.
In general, if a finite set X has n elements, then ℘(X) will have 2n elements.
Notice that for each X above, X ⊆ ℘(X). Is this always true? No. We say a
set X is called transitive if for every Z ∈ A and A ∈ X, we have Z ∈ X. It is an
easy exercise to prove X ⊆ ℘(X) if and only if X is transitive. It is also easy to
prove that if X is transitive, then ℘(X) is transitive. Warning: This use of the
word “transitive” is distinct from the notation of a “transitive relation.” We are
not in any way suggesting the relation ∈ is transitive!
Exercise 7.0.2 Find a set X such that X �⊆ ℘(X).
Exercise 7.0.3 Prove the following three statements are equivalent:
a) X is transitive.
b) For every A ∈ X we know A ⊆ X.
c) X ⊆ ℘(X).Hint: Prove (a) implies (b); Prove (b) implies (c); Prove (c) implies (a).
Exercise 7.0.4 If X is transitive, then ℘(X) is transitive.
Combining these facts, we conclude the following inclusions:
� ⊆ ℘(�) ⊆ ℘(℘(�)) ⊆ · · · ⊆ ℘n(�) ⊆ · · ·
We recursively define sets V0 = � and Vn+1 = ℘(Vn). Since we know the size of
Vn grows (quickly!) as n grows we have the more suggestive picture of a “big V”
in Figure 7.1.
110 2008/7/14
������������
��
��
��
��
��
��
V0 = �V1 = {�}V2 = {�, {�}}V3 = {�, {�}, {{�}}, {�, {�}}}V4 (16 elements)
�
�
��
�� � �
� �� �
� � � �
Vn
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
� �
��
�
�
�
�
�
�
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
��
�
�
�
��
�
�
�
�
�
�
�
��
�
�
�
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
� �
�
�
�
�
�
�
�
�
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
��
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
��
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
��
�
�
�
�
��
�
�
�
�
�
�
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
��
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Figure 7.1: Sets as a big V
How could we prove ℘(�) exists? The first question is how we express the
claim that ℘(�) exists. A first try might be
∃y.∀z.z ∈ y ≡ z ⊆ �
but � is a set, not a name of type I! We can express the conjecture without using
a name for the empty set. Here is an example how:
∃y.∀z.z ∈ y ≡ ∀w.(∀u.u ∉ w) → z ⊆ w
We will not do this! We want names for our objects and constructors!
Suppose � : I is a name of type I. (Note the overloading. Some occurrences
of � will be a name of type I and others will be the empty set. We already
used such overloading for ∈ and ⊆, without saying so.) To avoid any potential
complications, assume � ∉ V . Now we can state existence of ℘(�) as
∃y.∀z.z ∈ y ≡ z ⊆ �
but have no hope of proving it. Why not? We only assumed an empty set exists,
not that the name � is the empty set. We remedy this:
• Empty Set: ∀z.y ∉ �.
This axiom will guarantee that I� = �. (That is, the interpretation of the name �is the empty set.)
We now have a name � for the empty set. Why do we not have a term of type Icorresponding to ℘(�)? The problem is the formulation of the Power Sets Exist
axiom. In order to make our lives easier, we assume we have a name Pow : IIwhere IPowX is (or at least should be) the power set ℘(X). We now assume
2008/7/14 111
7 A Taste of Set Theory
• Power Sets: ∀xz.z ∈ (Powx) ≡ z ⊆ x.
Now the fact that ℘(�) exists is trivial (as it should be!) since Pow� is a term such
that I(Pow�) = ℘(�).We noted that if we had a set X with n elements, ℘(X) had 2n elements.
Clearly n is smaller than 2n. Is there some way to express the fact that X is a
smaller set than ℘(X) within the language? After we express it, can we prove it?
Unfortunately, we are not in such a simple situation. In our situation X and
Y do not correspond to types, but to members of II. We can give a formulation
that is almost as simple by taking g to be a name of type II, x, y , u and v to be
names of type I, and writing
¬∃g. (∀u.u ∈ x → gu ∈ y)∧ ∀v.v ∈ y → ∃u.u ∈ x ∧ gu = v
If Ix = X and Iy = Y , then the formula above will be true iff there is a function
from all of II to II which restricts to be a surjection from X to Y . We take
surj : II(II)B to be notation for the term
λxyg. (∀u.u ∈ x → gu ∈ y)∧ ∀v.v ∈ y → ∃u.u ∈ x ∧ gu = v
Note that we have made use of a higher-order quantifier (∃g where g has type
II). As soon as we quantify over a type other than I, then we have certainly
abandoned PLN-formulas. With some work, we can express the idea that there
is no surjection without quantifying over types other than I. We will not do this
here, but we will sketch the steps.
1. Consider a function as a set of ordered pairs.
2. Define ordered pairs (a, b) ∈ II of a ∈ II and b ∈ II such that
(a, b) = (a′, b′)⇒ a = a′ and b = b′.
A common choice is to use the Kuratowski pair (a, b) of a and b given by
{{a}, {a, b}}.
3. Define Z ∈ II to be a surjection from X to Y if four conditions hold:
a) Every element of Z is of the form (a, b) for some a ∈ X and b ∈ Y .
b) For every a ∈ X, there is some b ∈ Y such that (a, b) ∈ Z .
c) If (a, b) ∈ Z and (a, b′) ∈ Z , then b = b′.d) For every b ∈ Y , there is some a ∈ X such that (a, b) ∈ Z .
4. Write these conditions as a formula.
112 2008/7/14
We now return to the concept we wanted to define: when a set x is smaller
than y . Now that we have surj, we take ≺ (written in infix, with the same prece-
dence as =) to be notation for the term
λxy.¬∃g.surjxyg
of type IIB. We can now easily express the result about the size of the power set
as
∀x.x ≺ (Powx).
We will delay thinking about proving this result.
So far we have only constructed finite sets. We started with the finite set �. At
each stage, we had a finite set Vn of finite sets and formed Vn+1 = ℘(Vn). Since
any subset of a finite set is finite, Vn+1 only contains finite sets. Also, since a
finite set has only finitely many subsets, Vn+1 is itself finite. How can we form
an infinite set?
We can easily define a sequence of sets which resembles the natural numbers.
Let 0 be �, 1 be {0}, 2 be {0,1}, and so on. In general, we can define n + 1 ={0, . . . , n}. An easy induction on n proves that n ∉ Vn, n ⊆ Vn and n ∈ Vn+1.
Consider the set ω defined to be
{0,1,2, . . . , n . . .}.
Clearly ω is an infinite set and is not in any Vn.
We can continue the construction of our set theoretical universe by taking
Vω =⋃n∈ω
Vn.
This Vω is an infinite set. Is ω ∈ Vω? It cannot be. Every member of Vω is
a member of Vn for some n. Hence Vω only contains finite sets. On the other
hand, ω ⊆ Vω and so ω ∈ ℘(Vω). This motivates continuing our power set
construction: For each n, we take Vω+n+1 to be ℘(Vω+n). Clearly ω ∈ Vω+1 (just
as each n was in Vn+1). Note that we still have a chain
V0 ⊆ V1 ⊆ V2 ⊆ · · · ⊆ Vn ⊆ · · · ⊆ Vω ⊆ Vω+1 ⊆ · · · ⊆ Vω+n ⊆ · · ·
and the even bigger “big V” in Figure 7.2.
Notice that for any n,m ∈ω, we have n <m (as integers) iff n ∈m (as sets).
Now that we have an infinite set ω, we can ask an interesting question. How
does the size of ℘(ω) compare with the size of ω? Clearly ω is countable. In
the case of finite sets we had X ≺ ℘(X). Is this also true of infinite sets? Yes. In
fact, we gave the informal proof in Chapter 6. We repeat it here.
Theorem 7.0.5 (Cantor’s Theorem) For any set X, X ≺ ℘(X).
2008/7/14 113
7 A Taste of Set Theory
����������������������
��
��
��
��
��
��
��
��
��
��
��
V0 = �V1 = {�}V2 = {�, {�}}V3 = {�, {�}, {{�}}, {�, {�}}}V4 (16 elements)
�0�1
2 �
3 �
...
...
...
�n VnVn+1
�ω VωVω+1
Vω+n
Figure 7.2: Sets, including some infinite sets, as a big V
Proof Assume we have a set X such that X ≺ ℘(X) does not hold. Then there
must be a surjection G : X → ℘(X). Consider the set
D = {a ∈ X|a ∉ (Ga)}.
Since D ∈ ℘(X) and G is surjective, there must be some d ∈ X such that G(d) =D. Is d ∈ D? If d ∈ D, then d ∈ G(d) and so d ∉ D (by the definition of D). On
the other hand, if d ∉ D, then d ∉ G(d) and so d ∈ D (by the definition of D).
That is, d ∈ D iff d ∉ D. This is clearly impossible. Therefore, no such surjection
G can exist. �
The key idea of the proof of Cantor’s theorem is the choice of D. In order to
mimic the informal proof above in a formal tableau proof, we must be able to
make use of the set D. We can construct a partial tableau of the form
¬(x ≺ (Powx))...
∀v.v ∈ (Powx)→ ∃u.u ∈ x ∧ (gu) = v
We then need to somehow apply Forall to instantiate v with a term correspond-
114 2008/7/14
ing to the set D. Examine the set D:
D = {a ∈ X|¬(a ∈ (Ga))}
We can imagine writing the body as
¬(y ∈ (gy))
with a variable y , and this body has type B as expected. We can λ-abstract the yand obtain the term
λy.¬(y ∈ (gy))but this term has type IB, where we need to instantiate v with a term of type I.With the axioms and constructors introduced so far, we cannot represent the set
D as a term. What we need to be able to do is take a term of type I representing
a set X and a term of type IB representing a property P of sets and form a term
of type I corresponding to {a ∈ X|Pa = 1}.Just as we introduced names � and Pow, we introduce a name sep of type
I(IB)I such that for all X ∈ II and P ∈ I(IB) we have
IsepXP = {a ∈ X|Pa = 1}.
The corresponding axiom is the Axiom of Separation:
• Separation: ∀xpz.z ∈ (sepxp) ≡ z ∈ x ∧ pxRemark: In first-order set theory, the separation axiom is restricted to prop-
erties p defined by first-order formulas.
Cantor’s theorem implies that ω is a smaller infinity that ℘(ω). In fact we
have an infinite chain of infinities
ω ≺ ℘(ω) ≺ ℘(℘(ω)) ≺ · · · .
A natural question one could ask is whether there are infinities in between any
of these inequalities. In particular, is there a set X such that ω ≺ X and X ≺℘(ω)? Cantor’s Continuum Hypothesis states that there are no such sets X. The
Continuum Hypothesis is often stated in the following form:
Continuum Hypothesis (CH) Every infinite subset X of ω is either countable
or has the same cardinality as ℘(ω).Is this true? Is it false? Is it provable? Is its negation provable?
In 1900 a famous German mathematician and logician named David Hilbert
made a list of 23 important open problems in mathematics. In an address at
the International Congress of Mathematicians in Paris in 1900 he talked about
the first 10 of these problems. The continuum hypothesis was the first of these
problems, so it is also known as Hilbert’s first problem.
CH led to the following interesting results:
2008/7/14 115
7 A Taste of Set Theory
• The fact that the negation of CH is not provable using the usual axioms of set
theory was proven by Gödel in 1940.
• The fact that CH is not provable using the usual axioms of set theory was
proven by Paul Cohen in 1962.
How can we prove something is not provable? The question only becomes
precise once we specify the deductive system. If we have a deductive system,
a notion of a logical interpretation, and soundness result, then we can prove a
formula s is unprovable by constructing a logical interpretation such that Is = 0.
In the case of the results above, the deductive system is first-order logic with
the Zermelo-Fraenkel of set theory with the axiom of choice, which is commonly
referred to as ZFC.
There is much more we could say about set theory, but this is not a course
on set theory! If you want to read more about set theory, try the first chapters
of [26] or [25].
116 2008/7/14
8 Decision Trees
In this section we investgate equivalence of propositional formulas. Two formu-
las s, t are equivalent if the equation s = t is deducible. We identify a class of
canonical propositional formulas such that every propositional formula is equiv-
alent to exactly one canonical formula. The canonical form is based on so-called
decision trees. We obtain an efficient algorithm for equivalence checking by
employing a dynamic programming technique on a minimal graph representa-
tion of decision trees known as binary decision diagram (BDD). The data struc-
tures and algorithms presented in this section have many applications, including
computer-aided design of computer hardware and verification of finite state sys-
tems (i.e., model checking). The essential ideas are due to Randal Bryant [33].
8.1 Boolean Functions
An important building block of the hardware of computers are functional cir-
cuits. A functional circuit maps some inputs x1, . . . , xm to some outputs
y1, . . . , yn. Inputs and outputs are two-valued. Every output is determined as
a function of the inputs. This leads to the notion of a Boolean function, an ab-
straction that is essential for hardware design.
A Boolean variable is a variable of type B. Let X be a nonempty and finite set
of Boolean variables. The following definitions are parameterized with X.
An assignment (σ ) is a function X → B. A Boolean function (ϕ) is a function
(X → B)→ B. Seen from the circuit perspective, an assignment σ provides values
σx for the inputs x ∈ X, and a Boolean function decribes how an output is ob-
tained from the inputs. Some authors call Boolean functions switching functions.
Sometimes it is helpful to see a Boolean function as a set of assignments.
In order to design a functional circuit, one must know which Boolean func-
tions (one per output) it ought to compute. So how can electrical engineers spec-
ify Boolean functions? A simple-minded approach are truth tables. For instance,
117
8 Decision Trees
given x,y ∈ X, we can see the truth table
x y ϕσ0 0 0
0 1 1
1 0 1
1 1 0
as a specification of the Boolean function that returns 1 if and only if its inputs xand y are different. A more compact specification of this Boolean function would
be the propositional formula x �≡ y . Clearly, if there are many relevant inputs,
the specification of a Boolean function with a formula can be more compact than
the specification with a truth table.
Let PF be the set of all propositional formulas containing only variables
from X. We define a function F ∈ PF → (X → B) → B such that Fs is the
Boolean function specified by the formula s:
F⊥σ = 0
F�σ = 1
Fxσ = σx if x ∈ XF(¬s)σ = 1−Fsσ
F(s ∧ t)σ =min{Fsσ , Ftσ}F(s ∨ t)σ =max{Fsσ , Ftσ}F(s → t)σ =max{1−Fsσ , Ftσ}F(s ≡ t)σ = (Fsσ =Ftσ)
Proposition 8.1.1 Let s ∈ PF, I be a logical interpretation, and σ be the unique
assignment such that σ ⊆ I . Then Is = Fsσ .
Proof By induction on s. �
From the proposition it’s clear that assignments can play the role of logical in-
terpretations for propositional formulas. While logical interpretations come with
redundant and irrelevant information, assignments only contain the information
that is necessary for the evaluation of propositional formulas.
Often it is necessary to decide whether two formulas s, t ∈ PF represent the
same Boolean function. For instance, s might be the specification of a Boolean
function and t may describe the implementation of this function in terms of
more primitive functions. Then the implementation is correct if and only if
Fs = Ft.
Proposition 8.1.2 Let s, t ∈ PF. Then Fs = Ft iff s = t is a tautology.
118 2008/7/14
8.1 Boolean Functions
Proof Fs = Ft holds if s, t evaluate to the same value with every assignment,
and s = t is a tautology if s, t evaluate to the same value with every logical
interpretation. Thus the claim follows with Proposition 8.1.1. �
Given Proposition 8.1.2, we can say that the function F constitutes a seman-
tics for propositional formulas. Since there are only finitely many assignments,
the semantics provided by F is effective in that it gives us a naive algorithm for
deciding whether a propositional formula is a tautology. The algorithm may even
be practical if a formula is not a tautology and we implement it with heuristics
that find a falsifying assignment quickly. On the other hand, if we want to show
that a formula is a tautology, the tableau method seems more promising.
We say that two terms s, t are equivalent if they have the same type and the
equation s = t is deducible.
Proposition 8.1.3 Let s, t ∈ PF. Then the following statements are equivalent:
1. s and t are equivalent.
2. s = t is a tautology.
3. Fs = Ft.
Proof Follows with Theorem 6.4.1 and Proposition 8.1.2. �
F illustrates an important semantic idea that we have not seen so far. The
interesting thing about F is that it gives us a denotational characterization of
propositional equivalence: Two propositional formulas are equivalent if and only
if they denote the same same semantic object (i.e., a Boolean function).
Let’s return to Boolean functions. Can every Boolean function be represented
by a propositional formula? The answer is yes.
Proposition 8.1.4 Let ϕ be a Boolean function. Then:
ϕ = F
⎛⎜⎜⎜⎝
∨σ∈X→Bϕσ=1
∧x∈X
if σx = 1 then x else ¬x
⎞⎟⎟⎟⎠
Proof Let σ be an assignment. It suffices to show that the left hand side yields 1
for sigma if and only if the right hand side does. This is easy to verify. Remark:
if the index set of the disjunction is empty, it represents ⊥. �
Exercise 8.1.5 We require that X is finite so that every Boolean function can be
represented by a formula. Suppose X is infinite. How can we obtain a Boolean
function that cannot be represented by a propositional formula?
2008/7/14 119
8 Decision Trees
8.2 Decision Trees and Prime Trees
Every Boolean function can be represented by infinitely many propositional for-
mulas. Given a Boolean function, formulas can represent it more or less explic-
itly. For instance � and ¬¬x → x both represent the same Boolean function.
Of course, in general it is not clear what more or less explicit means. However,
the following question is meaningful: Can we find a class of canonical proposi-
tional formulas such that every Boolean function can be represented by one and
only one canonical formula, and such that canonical formulas are informative
representations of Boolean functions?
In the following we will study a system of canonical propositional formulas
that is based on the notion of a decision tree. We start with the notation
(s, t, u) := ¬s ∧ t ∨ s ∧u
and call formulas of this form conditionals. The following proposition explains
why we use this name.
Proposition 8.2.1 The following formulas are tautologies:
1. (⊥, x, y) = x2. (�, x, y) = y3. (x,y,y) = y
Exercise 8.2.2 Find tableau proofs for the tautologies in Proposition 8.2.1.
Decision trees are defined recursively:
1. ⊥ and � are decision trees.
2. (x, s, t) is a decision tree if x is a Boolean variable and s and t are decision
trees.
As the name suggests, decision trees can be thought of as trees. For instance,
(x,�, (y, (z,⊥,�),⊥)) may be seen as the tree
x
� y
z
⊥ �⊥
To compute Fsσ for a decision tree s, we start at the root of s and follow the
path determined by σ (σx = 0 means “go left”, and σx = 1 means “go right”).
If we reach a leaf, the result is determined by the label of the leaf (0 for ⊥ and 1
for �).
120 2008/7/14
8.3 Existence of Prime Trees
x
⊥ �x
x
� ⊥¬x
x
⊥ y
⊥ �x ∧y
x
y
⊥ ��
x ∨y
x
y
� ⊥y
⊥ �x ≡ y
Figure 8.1: Prime trees for some simple formulas
Proposition 8.2.3 Let (x, s0, s1) ∈ PF. Then:
F(x, s0, s1)σ = if σx=0 then Fs0σ else Fs1σ
Proposition 8.2.4 (Coincidence)
Let s ∈ PF and σx = σ ′x for all x ∈ V s. Then Fsσ = Fsσ ′.
Given decision trees, it is straightforward to define a canonical subclass. A
decision tree is reduced if none of its subtrees has the form (x, s, s). We assume
a linear order on the set of all Boolean variables and write x < y if x is smaller
than y . A decision tree is ordered if the variables get larger as one goes down on
a path from the root to a leaf. The example tree shown above is ordered if and
only if x < y < z. A prime tree is a reduced and ordered decision tree. Formally,
we define prime trees recursively:
1. ⊥ and � are prime trees.
2. (x, s, t) is prime tree if s and t are different prime trees (i.e., s ≠ t) and x is a
Boolean variable that is smaller than every variable that occurs in s or t.
We will show that every propositional formula is equivalent to exactly one prime
tree. Figure 8.1 shows the prime trees for some simple formulas.
8.3 Existence of Prime Trees
First we outline an algorithm that computes for a propositional formula an equiv-
alent prime tree. The algorithm is based on the following proposition.1
Proposition 8.3.1 (Shannon Expansion)
For every formula s and every Boolean variable x: � s = (x, sx⊥ , sx�).
Proof Straightforward with BCAR and Proposition 8.2.1. �
1 Claude Shannon showed in his famous 1937 master’s thesis done at MIT that the arrangement
of the electromechanical relays then used in telephone routing switches could be analyzed withBoolean algebra.
2008/7/14 121
8 Decision Trees
The algorithm works by recursion on the number of Boolean variables oc-
curring in s. If s contains no Boolean variables, s can be evaluated to ⊥ or �.
Otherwise, the algorithm determines the least Boolean variable x occurring in sand obtains prime trees s0, s1 for sx⊥ and sx� by recursion. If s0 ≠ s1, we obtain
the prime tree (x, s0, s1), otherwise s0 does the job.
In the following, we will show the correctness of the algorithm by stating and
proving some essential properties.
We define the free variables of a term s as V s := {x ∈N s | x is a variable }.A term s is variable-free if V s = �.
Proposition 8.3.2 (Evaluation) Let s be a variable-free propositional formula.
Then � s=⊥ or � s=�.
Proof By induction on s. Straightforward. �
Lemma 8.3.3 Let s be a propositional formula and x be the least variable that
occurs in s. Let s0 and s1 be prime trees that are equivalent to sx⊥ and sx� , respec-
tively. Moreover, let V s0 ⊆ V sx⊥ and V s1 ⊆ V sx�. Then:
1. If s0 = s1, then sx⊥ is a prime tree that is equivalent to s.
2. If s0 ≠ s1, then (x, s0, s1) is a prime tree that is equivalent to s.
Proof Follows with Proposition 8.3.1 and Proposition 8.2.1. �
Proposition 8.3.4
For every propositional formula s there exists an equivalent prime tree t such
that V t ⊆ V s.
Proof Follows with Lemma 8.3.3 by induction on the number of variables occur-
ring in s. �
Exercise 8.3.5 Draw all prime trees containing no other variables but x and y .
Assume x < y . For each tree give an equivalent propositional formula that is as
simple as possible.
Exercise 8.3.6 Let s be the propositional formula x = (y = z). Assume
x < y < z. Draw the prime trees for the following formulas: s, ¬s, s ∧ s, s → s.
8.4 Example: Diet Rules
On a TV show a centenarian is asked for the secret of his long life. Oh, he says,
my long life is due to a special diet that I started 60 years ago and follow by every
day. The presenter gets all exited and asks for the diet. Oh, that’s easy, says the
old gentleman, there are only 3 rules you have to follow:
122 2008/7/14
8.5 Uniqueness of Prime Trees
1. If you don’t take beer, you must have fish.
2. If you have both beer and fish, don’t have ice cream.
3. If you have ice cream or don’t have beer, then don’t have fish.
Let’s look at the diet rules from a logical perspective. Obviously, the diet is only
concerned with three Boolean properties of a meal: having beer, having fish, and
having ice cream . We can model these properties with three Boolean variables
b, f , i and describe the diet with a propositional formula that evaluates to 1 if
the diet is satisfied by a meal:
(¬b → f) ∧ (b ∧ f → ¬i) ∧ (i∨¬b → ¬f)The formula is one one possible description of the diet. More abstractly, the diet
is represented by the Boolean function decribed by the formula. A related repre-
sentation of the diet is the prime tree that is equivalent to the initial formula:
b
⊥ f
� i
� ⊥Now we know that the diet is observed if and only if the following rules are
observed:
1. Always drink beer.
2. Do not have both fish and ice cream.
Clearly, the prime tree represents the diet much more explicitly than the initial
formula obtained form the rules given by the gentleman.
Exercise 8.4.1 Four girls agree on some rules for a party:
i) Whoever dances which Richard must also dance with Peter and Michael.
ii) Whoever does not dance with Richard is not allowed to dance with Peter and
must dance with Christophe.
iii) Whoever does not dance with Peter is not allowed to dance with Christophe.
Express these rules as simply as possible.
a) Describe each rule with a propositional formula. Do only use the variables c(Christophe), p (Peter), m (Michael), r (Richard).
b) Give the prime tree that is equivalent to the conjunction of the rules. Use the
order c < p < m < r .
8.5 Uniqueness of Prime Trees
We use σxb to denote the assignment that is like σ except that it maps x to b.
2008/7/14 123
8 Decision Trees
Lemma 8.5.1 If s, t ∈ PF are different prime trees, then Fs and Ft are different
Boolean functions.
Proof By induction on |s| + |t|. Let s, t be different prime trees. We show that
there is an assignment σ such that Fsσ ≠ Ftσ .
Case s, t ∈ {⊥,�}. Every σ does the job.
Case s = (x, s0, s1) and x ∉ N t. By induction we have an assignment σ such
that Fs0σ ≠ Fs1σ . Since x occurs neither in s0 nor s1, we have Fsσx0 ≠ Fsσx1since Fsσx0 = Fs0σx0 = Fs0σ ≠ Fs1σ = Fs1σx1 = Fsσx1 . But Ftσx0 = Ftσx1since x does not occur in t. Hence Fsσx0 ≠ Ftσx0 or Fsσx1 ≠ Ftσx1 .
Case t = (x, t0, t1) and x ∉N s. Analogous to previous case.
Case s = (x, s0, s1) and t = (x, t0, t1). Then s0 ≠ t0 or s1 ≠ t1. By induction
there exists an assignment σ such that Fs0σ ≠ Ft0σ or Fs1σ ≠ Ft1σ . By
coincidence Fs0σx0 ≠ Ft0σx0 or Fs1σx1 ≠ Ft1σx1 . Hence Fsσx0 ≠ Ftσx0 or
Fsσx1 ≠ Ftσx1 .
To see that the case analysis is exhaustive, consider the case where both s and tare non-atomic trees with the root variables x and y . If x < y , then x does
not occur in t since all variables in t are greater or equal than y and hence are
greater that x. If y < x, then y does not occur in s since all variables in s are
greater or equal than x and hence are greater than y . �
Theorem 8.5.2 (Prime Tree) For every propositional formula there exists ex-
actly one equivalent prime tree.
Proof The existence follows with Proposition 8.3.4. To show the uniqueness,
assume that s is a propositional formula and t1, t2 are different prime trees that
are equivalent to s. Without loss of generality we can assume that t1, t2 ∈ PF
(because we can choose X = V t1 ∪ V t2). Hence Ft1 ≠ Ft2 by Lemma 8.5.1.
Hence t1, t2 are not equivalent by Proposition 8.1.3. Contradiction since t1, t2are both equivalent to s. �
8.6 Properties of Prime Trees
For every propositional formula s we denote the unique prime tree equivalent
to s with πs. We call πs the prime tree for s.
Proposition 8.6.1 Let s and t be propositional formulas.
1. s is equivalent to πs.
2. V (πs) ⊆ V s.
124 2008/7/14
8.6 Properties of Prime Trees
3. s, t are equivalent if and only if πs = πt.4. s is a tautology if and only if πs = �.
Proof Claim (1) follows by definition of πs. Claim (2) follows with Proposi-
tion 8.3.4 and Theorem 8.5.2. Claim (3) follows with (1) and Theorem 8.5.2.
For Claim (4) first note that s is a tautology iff s = � is a tautology. By Proposi-
tion 8.1.3 this is the case iff s and � are equivalent. By Claim (3) this is the case
iff πs = π�. Now we are done since π� = �. �
The significant variables of a propositional formula are the variables occur-
ring in its prime tree. The following lemma says that the significant variables of
a prime tree s are significant variables of the Boolean function Fs.
Lemma 8.6.2 Let s ∈ PF be a prime tree and x ∈ V s. Then there exists an
assignment σ such that Fsσx⊥ ≠ Fsσx�.
Proof By contradiction. Assume Fsσx⊥ = Fsσx� for all assignments σ . Then
Fsσ = Fsσx⊥ for all σ . Hence s and sx⊥ are equivalent. Thus πs = π(sx⊥) by
Proposition 8.6.1 (3). Since s is a prime tree, we have s = πs = π(sx⊥). This is
a contradiction since x ∈ V s = V (π(sx⊥)) ⊆ V (sx⊥) by Proposition 8.6.1 (2) and
x ∉ V (sx⊥). �
Proposition 8.6.3 For every propositional formula s:
1. If x is a significant variable of s, then x occurs in s.
2. A Boolean variable x is significant for s if and only if there exists an assign-
ment σ such that Fsσx⊥ ≠ Fsσx�.
Proof Claim (1) follows with Proposition 8.6.1. For Claim (2) we assume without
loss of generality that s is a prime tree (recall that Fs = F(πs) holds for all
propositional formulas). The left-to-right direction follows with Lemma 8.6.2. To
see the other direction, let Fsσx⊥ ≠ Fsσx�. By Coincidence we have x ∈ V s.Since s is a prime tree, x is a significant variable of s. �
A variable x ∈ X is significant for a Boolean function ϕ if there exists an
assignment σ such that ϕσx⊥ ≠ ϕσx�. By the the proposition just stated we
know that the significant variables of a formula s ∈ PF are exactly the significant
variables of the Boolean function Fs.Boolean functions andF are defined with respect to a finite set of variables X.
In contrast, the definition of the prime tree representation πs and of the signif-
icant variables of s does not depend on X. In principle, it is possible to fix Xas the set of all Boolean variables, with the consequence that not every Boolean
2008/7/14 125
8 Decision Trees
function can be described by a propositional formula. In this case, prime trees
are a perfect representation for the finitary Boolean functions.
Prime trees are a canonical representation for propositional formulas. Given
a set S of syntactic objects and an equivalence relation on these objects, a canon-
ical representation is a set C ⊆ S such that for every object in S there is exactly
one equivalent object in C . In § 3.7 we have seen a canonical representation for
simply typed terms: Every term is λ-equivalent to exactly one λ-normal term
(Corollary 3.7.3).
Exercise 8.6.4
a) Find a propositional formula s that contains the variables x, y , z and has xas its only significant variable.
b) Determine the significant variables of the formula (x → y)∧(x∨y)∧(y∨z).
8.7 Prime Tree Algorithms
Given two prime trees s and t, how can we efficiently compute the prime trees
for ¬s, s ∧ t, s ∨ t and so on? It turns out that there are elegant algorithms that
perform well in practice. Here we will develop the algorithms for negation and
conjunction. The algorithms for the other operations can be obtained along the
same lines.
To develop th algorithms for negation and conjunction, we first define the
functions to be computed by the algorithms.
not ∈ PT → PT and ∈ PT→ PT → PT
not s = π(¬s) and s t = π(s ∧ t)
We base the algorithm for negation on the tautologies (verify!)
¬⊥ = �¬� = ⊥
¬(x,y, z) = (x,¬y,¬z)
With the tautologies one can verify the equations
π(¬⊥) = �π(¬�) = ⊥
π(¬(x, s, t)) = (x,π(¬s), π(¬t)) if (x, s, t) is a prime tree
The correctness of the first two equations is obvious. For the corectness of the
last equation we show 2 things:
126 2008/7/14
8.7 Prime Tree Algorithms
1. The formula on the left is equivalent to the formula on the right. To ver-
ify this, we can erase all applications of π since π always yields equivalent
formulas. Now we are left with an instance of the third tautology.
2. The formula on the right is a prime tree. Let (x, s, t) be a prime tree. Clearly,
the formula on the right is a decision tree. We need to show that it is ordered
and reduced. Since π(¬s) and π(¬t) contain only variables that are in s and
t and (x, s, t) is a ordered, (x,π(¬s), π(¬t)) is ordered. Since (x, s, t) is a
prime tree, s and t are not equivalent. Hence ¬s and ¬t are not equivalent
(since x=y ≡ ¬x=¬y is a tautology). Hence π(¬s) and π(¬t) are different
prime trees.
Together, the two properties yield the correctness of the equation since for every
formula there is only one equivalent prime tree.
Now we have the following procedure:
not : PT → PT
not ⊥ = �not � = ⊥
not(x, s, t) = (x, not s, not t)
The equations are exhaustive and terminating. Moreover, they are valid for the
function not (they reduce to the above equations with π by unfolding the defini-
tion of the function not). Hence the procedure not computes the function not.
Next we devise an algorithm for conjunction. This time we employ the follow-
ing tautologies (verify!):
⊥∧y = ⊥�∧y = y
(x,y, z)∧ (x,y′, z′) = (x,y ∧y′, z∧ z′)(x,y, z)∧u = (x,y ∧u, z∧u)
Moreover, we exploit the commutativity of ∧. We also use an auxiliary function
red ∈ DT → DT
red ⊥ = ⊥red � = �red(x, s, t) = if s = t then s else (x, s, t)
2008/7/14 127
8 Decision Trees
Now we can verify the following equations:
π(⊥∧ t) = ⊥π(�∧ t) = t
π((x, s0, s1)∧ (x, t0, t1)) = red(x,π(s0 ∧ t0), π(s1 ∧ t1))π((x, s0, s1)∧ t) = red(x,π(s0 ∧ t), π(s1 ∧ t))
if t = (y, t0, t1) and x < y
As for negation, the correctness of the equations is established in 2 steps. First
one verifies that for each equations the formula on the left is equivalent to the
formula on the right. Since π and red yield equivalent formulas, we can erase
their applications. Now we are left with instances of the above tautologies. For
the second step we show that the formulas on the right are prime trees, provided
the arguments on the left hand side are prime trees. This is easy and explains
the condition x < y coming with the last equation.
Now we have the following procedure:
and : PT→ PT → PT
and ⊥ t = ⊥and � t = tand s ⊥ = ⊥and s � = s
and (x, s0, s1) (x, t0, t1) = red(x, and s0 t0, and s1 t1)
and (x, s0, s1) t = red(x, and s0 t, and s1 t)
if t = (y, t0, t1) and x < y
and s (y, t0, t1) = red(y, and s t0, and s t1)
if s = (x, s0, s1) and x > y
The procedure and computes the function and since the following properties are
satisfied:
1. The equations are exhaustive and terminating.
2. The equations hold for the function and. This is the case since the equations
reduce to the above tautologies (up to commutativity) by using the definitions
of the functions and and red.
You now know enough so that you can devise algorithms for the other Boolean
operations. Things are as before since for every name ◦ : BBB the following
128 2008/7/14
8.7 Prime Tree Algorithms
equations are deducible with BCAR (◦ is written as infix operator):
(x,y, z) ◦ (x,y′, z′) = (x,y ◦y′, z ◦ z′)u ◦ (x,y′, z′) = (x,u ◦y′, u ◦ z′)
(x,y, z) ◦u = (x,y ◦u, z ◦u)
This follows with BCAR on x and the tautologies of Proposition 8.2.1.
Exercise 8.7.1 Develop an algorithm that for two prime trees s, t yields the
prime tree for s = t. Implement the algorithm in Standard ML. Proceed as fol-
lows:
a) Complete the following equations so that they become tautologies on which
the algorithm can be based.
(x = �) =(⊥ = ⊥) =
((x,y, z) = (x,y′, z′)) =((x,y, z) = u) =
b) Complete the declarations of the procedures red and equiv so that equiv com-
putes for two prime trees s, t the prime tree for s = t. The variable order is
the order of int. Do not use other procedures.
type var = int
datatype dt = F | T | D of var * dt * dt
fun red x s t =
fun equiv T t =
| equiv s T =
| equiv F F =
| equiv F (D(y,t0,t1)) =
| equiv (D(x,s0,s1)) F =
| equiv (s as D(x, s0, s1)) (t as D(y, t0, t1)) =if x=y then
else if x<y then
else
Exercise 8.7.2 Let decision trees be represented as in Exercise 8.7.1, and let
propositional formulas be represented as follows:
datatype pf = FF | TT | V of var | NEG of pf | AND of pf * pf
| OR of pf * pf | IMP of pf * pf | EQ of pf * pf
Write a procedure pi : pf → dt that yields the prime tree for a propositional for-
mula. Be smart and only use the prime tree algorithm for implication (all propo-
sitional connectives can be expressed with → and ⊥).
2008/7/14 129
8 Decision Trees
1 0
z y
xx
z
� ⊥y
⊥ z
� ⊥
Figure 8.2: A BDD and the decision tree represented by the topmost node
Exercise 8.7.3 Find two prime tree (x, s0, s1) and t such that:
i) (x,π(s0 → t), π(s1 → t)) is not a prime tree.
ii) ∀y∈V t : x < y .
8.8 BDDs
Trees can be represented as nodes of graphs. Graphs whose nodes represent
decision trees are called BDDs (binary decision diagrams). Binary decision dia-
grams (BDD) were introduced by Lee (Lee 1959), and further studied and made
known by Akers (Akers 1978) and Boute (Boute 1976).
Figure 8.2 shows a BDD. The node labeled with the variable x represents the
decision tree shown to the right. Dotted edges of the graph lead to left subtrees
and solid edges to right subtrees. Subtrees that occur more than once in a deci-
sion tree need only be represented once in a BDD (so-called structure sharing).
In our example BDD the node labeled with z represents a subtree that occurs
twice in the decision tree on the right.
Formally, a BDD is a function γ such that there exists a natural number N ≥ 1
such that
1. γ ∈ {2, . . . , N} → Var × {0, . . . , N} × {0, . . . , N}.2. ∀ (n, (x,n0, n1)) ∈ γ : n > n0 ∧ n > n1.
The nodes of γ are the numbers 0, . . . , N . The nodes 0 und 1 represent the
decision trees ⊥ and �. A node n ≥ 2 with γn = (x,n0, n1) carries the label xand has two outgoing edges pointing to n0 and n1, where the edge to n0 is dotted
and the edge to n1 is solid. Note that the second condition in the definition of
BDDs ensures that BDDs are acyclic. The BDD drawn in Figure 8.2 is the following
function (in table representation):
2 (z,1,0)3 (y,0,2)4 (x,2,3)
130 2008/7/14
8.8 BDDs
For every BDD γ we define the function
Tγ ∈ {0,1} ∪ Dom γ → DT
Tγ0 = ⊥Tγ1 = �Tγn = (x,Tγn0,Tγn1) if γn = (x,n0, n1)
which yields for every node n of γ the decision tree represented by γ and n.
A BDD is minimal if different nodes represent different trees. The BDD in
Figure 8.2 is minimal.
Proposition 8.8.1 (Minimality) A BDD is minimal if and only if it is injective.
Proof Let γ be a BDD such that Dom γ = {2, . . . , n}. That minimality implies
injectivity follows by contraposition. For the other direction assume that γ is
injective. We show the minimality of γ by induction on n. For n = 1 the claim
is obvious. Otherwise, let γn = (x,n0, n1). Assume γ is not minimal. Then
the exists a k ≠ n such that Tγk = Tγn. Hence γk = (x, k0, k1) such that
Tγk0 = Tγn0 and Tγk1 = Tγn1. By induction we know that the restriction of γto {2, . . . , n− 1} is minimal. Hence k0 = n0 and k1 = n1. Hence γk = γn. Since
k ≠ n this contradicts the assumption that γ is injective. �
Given the table representation of a BDD, it is very easy to see whether it is
minimal: The BDD is minimal if and only if no triple (x,n0, n1) occurs twice in
the right column of the table representation.
Note that there is exactly one minimal BDD that represents all subtrees of
a given prime tree. All nodes of this BDD are reachable from the node that
represents the given subtree. Note that this root appears as last node in the
table representation.
Techniques that represent terms as numbers that identify entries in tables
are know as term indexing. BDDs are a typical example of term indexing.
Exercise 8.8.2 Let s be the propositional formula (x∧y ≡ x∧z)∧(y∧z ≡ x∧z).Assume the variable order x < y < z.
a) Draw the prime tree for s.
b) Draw a minimal BDD whose nodes represent the subtrees of the prime tree
for s.
c) Give the table representation of the BDD. Label each non-terminal node of
your BDD with the number representing it.
Exercise 8.8.3 (Parity Function) Let the Boolean variables x1 < x2 < x3 < x4 be
given. The parity function for these variables is the Boolean function that yields 1
2008/7/14 131
8 Decision Trees
for an assignment σ iff the sum σx1+σx2+σx3+σx4 is an even number. Draw
the minimal BDD whose root represents the prime tree for the parity function.
Observe that it is easy to obtain a minimal BDD for parity functions with addi-
tional variables (x4 < x5 < x6 < · · · ). Observe that the prime tree represented
by the root node of the BDD is exponentially larger than the BDD.
Exercise 8.8.4 (Impact of Variable Order) The size of the BDD representing the
parity function in Exercise 8.8.3 does not depend on the chosen variable order.
In general, this is not the case. There may be an exponential blow up if an
unfortunate variable order is chosen. Consider the formula
(x1 ∨ x2)∧ (x3 ∨ x4)∧ · · · ∧ (x2n−1 ∨ x2n)
The minimal BDD for this formula has 2n + 2 nodes if we choose the order
x1 < x2 < · · · < x2n. Draw it for n = 2. If we choose the order
x1 < x3 < · · · < x2n−1 < x2 < x4 < · · · < x2n
the minimal BDD has 2n+1 nodes. Draw it for n = 2.
8.9 Polynomial Runtime through Memorization
With the BDD representation it is possible to implement the prime tree algo-
rithms for the Boolean connectives with the runtime O(||m|| · ||n||) where mand n are the nodes representing the prime trees and ||m|| and ||n|| are the
counts of the nodes reachable from m and n, respectively. The basic observa-
tion is that every call of the procedure will take as arguments two nodes m′
and n′ that are reachable fromm and n, respectively. Hence, if we memorize for
each call already done that is was done and what result it returned, we can avoid
computing the same call more than once. Without this dynamic programming
technique prime tree algorithms like and have exponential worst-case complex-
ity. The memorization is implemented with hashing. For this it is essential that
the trees are represented as numbers.
8.10 Remarks
Decision trees and graph representations of decision trees have been known for
a long time, but the canonical representation with ordered and reduced decision
trees and minimal graph representations were discovered only in 1986 by Randal
Bryant [33]. You will find his famous paper in the Internet. Huth and Ryan’s
textbook [23] gives a detailed presentation of BDDs. You will also find useful
information in the Wikipedia entry for binary decision diagrams.
132 2008/7/14
9 Modal Logic
• Modal logic was conceived as an extension of propositional logic that can
express additional modes of truth: necessarily true and possibly true.
• In 1918, C.I. Lewis published a deductive system for modal logic. His system
was improved by Kurt Gödel in 1933.
• In 1963, Saul Kripke gave the by now standard semantics for modal logic and
showed soundness and completeness.
• Before computer scientist got involved, modal logic was mainly developed by
logicians from philosophy.
• Temporal logic is an extension of modal logic. Major contributions were made
by the philosophers Arthur Prior (1967) and Hans Kamp (1968).
• In 1977, Amir Pnuelli realized that temporal logics could be used for specify-
ing and reasoning about concurrent programs. The temporal logics LTL and
CTL are now in wide use.
• In 1976, Vaugham Pratt invented dynamic logic, which is an extended modal
logic to be used for program verification.
• In 1991, Klaus Schild discovers that terminological logics, then developed for
knowledge representation, are in fact modal logics. Nowadays, terminological
logics are known as description logics [4]. Description logic is the basis for the
web ontology language OWL (see Wikipedia). There is a connection between
dynamic logic and description logic.
• Modal logics are decidable and have the finite model property. Terminating
tableau systems can be used as decision procedures and are the most efficient
choice as it comes to description logics and OWL.
• We consider a modal logic M that subsumes the basic modal logic K and the
basic description logic ALC. We develop a terminating tableau system for M.
• We study modal logic as a fragment of simple type theory, as we did before
for propositional logic and first-order logic.
133
9 Modal Logic
9.1 Modal Terms
We assume a sort I of individuals and work with three types of variables:
x,y : I individual variables
p, q : IB property variables
r : IIB relation variables
Note that propositions are unary predicates and relations are binary predicates.
The heart of modal logic are terms of type IB describing properties of individu-
als. Modal terms are obtained with the following names called modal constants:
⊥, � : IB
¬ : (IB)IB
∧, ∨, →, ≡ : (IB)(IB)IB
�,♦ : (IIB)(IB)IB
Modal terms and modal formulas are now defined as follows:
t ::= p | ⊥ | � | ¬t | t ∧ t | t ∨ t | t → t | t ≡ t | �rt | ♦rt modal terms
s ::= tx | rxx | ∀t modal formulas
Note that modal terms and modal formulas are λ-free although they may use the
quantifier ∀I .The semantics of the modal constants is expressed by the equations in Fig-
ure 9.1. Except for the modalities � and ♦, the semantics of the modal con-
stants is easy to understand: they lift the propositional constants from Booleans
(type B) to properties (type IB). The modalities are specialized quantifiers that
can be explained as follows:
• �rpx holds if every r -successor of x satisfies p.
• ♦rpx holds if there is an r -successor of x that satisfies p.
A modal interpretation is a logical interpretation that satisfies the equations
defining the modal constants. In the context of modal logic, we consider only
modal interpretations and consider the modal constants as a additional logical
constants. All names that are not constants (logical or modal) are called vari-
ables. We assume that p and q only range over names that are different from ⊥and �.
We use M to refer to the set of equations in Figure 9.1. The next proposition
states that our modal logic is a translational fragment of PLN.
Proposition 9.1.1 (First-Order Translation) For every modal formula s there ex-
ists a PLN-formula t such that M � s = t.
134 2008/7/14
9.1 Modal Terms
⊥ = λx. ⊥� = λx. �¬ = λpx. ¬px∧ = λpqx. px ∧ qx∨ = λpqx. px ∨ qx→ = λpqx. px → qx
≡ = λpqx. px ≡ qx� = λrpx. ∀y. rxy → py
♦ = λrpx. ∃y. rxy ∧ py
Figure 9.1: Equations defining the modal constants (set M)
Proof Let s be a modal formula. First we eliminate the modal constants by apply-
ing the equations in M. Then we apply β-reduction and eliminate all β-redexes.
Next we apply η-expansion to subterms of the form ∀p to obtain ∀x.px. Finally
we eliminate the propositional constants ⊥, �, →, and ≡, which is straigthfor-
ward. �
Notationally, the modal constants (except ⊥ and �) act as operators that take
their arguments before = :
=≡→∨∧
¬ � ♦
The modal operators ¬, �, and ♦ group to the right. For instance, the formula
¬�rt = ♦r ¬t is to be read as (¬(�rt)) = (♦r(¬t)).Exercise 9.1.2 Translate the following modal formulas into first-order formulas:
a) (p ∨q)xb) ∀(p →q)c) (�r(p →♦rp))xd) (�r♦r ¬p)x
We call modal formulas of the form px or rxy primitive. Note that the
formulas ⊥x and �x are not primitive.
2008/7/14 135
9 Modal Logic
married mike maryhaschild mike robowns mike xBMW xman mike∀(BMW → car)∀(man →person)∀(man →male)∀(parent ≡person ∧♦haschild �)∀(person →�haschild person)
Figure 9.2: A knowledge base
9.2 A Knowledge Base
Figure 9.2 shows an example of a knowledge base that demonstrates the use
of modal logic as a knowledge representation language. Every line is a modal
formula. The types of the variables are as follows:
• married, haschild, and owns are relation variables.
• BMW, man, car, person, parent are property variables.
• mike, mary, rob, x are individual variables.
The primitive formulas of the knowledge base provide facts about individuals.
The non-primitive formulas provide so-called terminological information about
predicates like person and haschild. If K is the knowledge base (i.e, a set of
modal formulas) and s is a modal formula, we say that K semantically entails sif K,M � s (read K,M as K ∪M). For instance:
K,M � person mike
K,M � male mike
K,M � person rob
Intuitively, mary should be person as well, but logically, there is nothing in the
knowledge base that enforces this property. In fact:
K,M �� person mary
K,M �� ¬ person mary
Figure 9.3 lists all primitive formulas that are semantically entailed by the knowl-
edge base in Figure 9.2 in a graphical format we call a transition graph.
136 2008/7/14
9.3 Kripke Sets
mikeman
personparent
mary
robperson
xBMWcar
married
owns
haschild
Figure 9.3: A set of primitive formulas represented as a transition graph
There are many computational services one can associate with a knowlege
base. For instance, one can use modal terms as a query language. Given a knowl-
ege base K and a modal term t, this services yields all names x such that Ksemantically entails tx. Here are example queries:
1. person yields mike and rob.
2. car yields x.
3. ♦haschild� yields mike.
4. ♦married person yields nothing.
Exercise 9.2.1 List all the primitive formulas given by the transition graph in
Figure 9.3.
9.3 Kripke Sets
A Kripke set is a set of primitive modal formulas.1 Finite Kripke sets can be
represented as transition graphs. The Kripke set in Figure 9.3 is tree-like. The
Kripke set {rxy, ryz, rzx} has a cyclic transition graph:
y
x
z
r
r
r
We will use Kripke sets as interpretations for modal formulas. Note that every
non-empty Kripke set contains at least one individual variable. To avoid prob-
lems with the empty Kripke set, we fix an individual variable x0 and call it the
1 For experts: Kripke sets can be seen as a syntactic variant of Kripke structures where the statesare individual variables. We can also see Kripke sets as Herbrand models for modal logic.
2008/7/14 137
9 Modal Logic
default variable. We define the carrier CA of a set of modal formulas A as fol-
lows: CA = {x0} if A is empty, and CA = {x ∈NA | x : I } if A is non-empty.
An interpretation I agrees with a Kripke set K if it is modal and satisfies the
following conditions:
1. II = CK2. Ix = x for all x ∈ CK3. Ipx = (px ∈ K) for all p : IB and all x ∈ CK4. Irxy = (rxy ∈ K) for all r : IIB and all x,y ∈ CKNote that for every Kripke set there are infinitely many interpretations that agree
with it. If an interpretation agrees with a Kripke set K, the interpretations of
property and relation variables are determined by K. Moreover, the interpreta-
tions of the invidual variables in CK is determined by K. As it comes to other
invidual variables, K only requires that they be interpreted as elements of CK.
It turns out that all interpretations that agree with a given Kripke set K also
agree on the interpretation of all modal formulas. We can thus understand a
Kripke set as a specialized interpretation for modal formulas. Given a Kripke
set K, we can define an evaluation function K such that Ks = Is for all modal
formulas and all interpretations I that agree with K. Figure 9.4 defines K by
recursion on the size of formulas. Note that K is computable if K is finite. We
can say that finite Kripke sets are a computable semantics for modal formulas.
Proposition 9.3.1 If an interpretation I agrees with a Kripke set K, then Is = Ksfor all modal formulas s.
Proof By induction on the size of s. �
A Kripke set K satisfies a modal formula s if Ks = 1. A Kripke set satisfies
a set of modal formulas if it satisfies every formula of the set. A Kripke model
of a formula [set of modal formulas] is a Kripke set that satisfies the formula
[set]. A formula [set of formulas] is modally satisfiable if it is satisfied by at
least one modal interpretation, and modally valid if it is satisfied by all modal
interpretations.
Proposition 9.3.2 Let s be a modal formula. Then:
1. If s is satisfied by a Kripke set, then s is modally satisfiable.
2. If s is modally valid, then s is satisfied by every Kripke set.
Proof Follows from Proposition 9.3.1 and the fact that for every Kripke set there
is an interpretation agreeing with it. �
138 2008/7/14
9.3 Kripke Sets
K(px) = (px ∈ K)K(⊥x) = 0
K(�x) = 1
K((¬t)x) = ¬K(tx)K((t1 ∧ t2)x) = (K(t1x)∧ K(t1x))K((t1 ∨ t2)x) = (K(t1x)∨ K(t1x))K((t1 → t2)x) = (K(t1x) �⇒ K(t1x))
K((t1 ≡ t2)x) = (K(t1x) = K(t1x))
K(�rtx) = (∀y : rxy ∈ K �⇒ K(ty))
K(♦rtx) = (∃y : rxy ∈ K ∧ K(ty))K(∀t) = (∀x ∈ CK : K(tx))
K(rxx) = (rxx ∈ K)
Figure 9.4: Definition of the evaluation function K for a Kripke set K
Later we will show that every modally satisfiable modal formula is satisfied
by a finite Kripke set. The finiteness part of this important result is known as
finite model property.
Due to Proposition 9.3.2 we can use Kripke sets to prove that a modal for-
mula is modally satisfiable or not not modally valid. As an example, consider
the modal formula (�r(p ∨q) → �rp ∨�rq)x. Is it satisfied by every modal
interpretation? The Kripke set {rxy, py, rxz, qz}
y,p
x
z, q
r
r
shows that this is not the case since it doesn’t satisfy the formula.
Exercise 9.3.3 For each of the following formulas find a finite Kripke set satisfy-
ing it.
a) (�r(p ∨q) →�rp ∨�rq)xb) ¬(�r(p ∨q) →�rp ∨�rq)xc) ∀(♦rp ∧(p →♦rq))
2008/7/14 139
9 Modal Logic
Exercise 9.3.4 For each of the following formulas find a Kripke set that doesn’t
satisfy the formula. Your sets should employ only two individual variables. First
draw the sets as transition graphs and then list them explicity.
a) �r(p ∨q) = �rp ∨�rqb) ♦r(p ∧q) = ♦rp ∧♦rq
Exercise 9.3.5 Which of the following formulas is modally valid? If the formula
is not valid, find a Kripke set that doesn’t satisfy it.
a) ∀ (♦r(p ∧q) → ♦rp ∧♦rq)b) ∀ (�r(p ∨q) → �rp ∨�rq)c) �r � = �d) ♦r ⊥ = �e) ♦r ⊥ = ⊥f) ♦r � = �rp →♦rp
Exercise 9.3.6 (Herbrand Models) In his dissertation submitted in 1929,
Jacques Herbrand introduces syntactic models for first-order logic that are
now known as Herbrand models. Kripke sets are in fact Herbrand models
for modal logic. Herbrand models are interesting for first-order logic since a
first-order formula is satisfiable if and only if it is satisfied by a Herbrand model.
Herbrand models can be constructed with the tableau method.
a) A Herbrand model for propositional logic is a set of Boolean variables. Let Hbe a set of Boolean variables. Define the evaluation function H that assigns
to every propositional formula a Boolean value. Hint: Follow the definition
of the evaluation function for Kripke sets and the grammar for propositional
formulas.
b) Explain how the tableau method can be used to construct finite Herbrand
models for satisfiable propositional formulas.
c) Find a Herbrand model for the propositional formula ¬x ∧ (x → y ∨ z).d) A Herbrand model for PLN is a set of PLN-formulas of the form px1 . . . xn
where n ≥ 0. Let H be such a set. Define the evaluation function H that
assigns to every PLN-formula a Boolean value.
e) Find finite Herbrand models for the following PLN-formulas:
i) rxy ∧ qx ∧ (rxy → rxx)
ii) ∀y∃y. rxy
140 2008/7/14
9.4 Some Deducible Facts
p →q = ¬p ∨qp ≡q = (p →q) ∧(q →p)¬¬p = p
¬(p ∧q) = ¬p ∨ ¬q¬(p ∨q) = ¬p ∧ ¬q¬�rt = ♦r ¬t¬♦rt = �r ¬t
�r(p ∧q) = �rp ∧�rq♦r(p ∨q) = ♦rp ∨♦rq
p=q ≡ ∀(p≡q)¬px ≡ (¬p)x
Figure 9.5: Some equations deducible from M
9.4 Some Deducible Facts
Figure 9.4 shows some interesting equations that are deducible from M.
Exercise 9.4.1 Find tableau proofs for the equations in Figure 9.4.
A modal term is propositional if it doesn’t contain � or ♦. If tx is a modal
formula such that t is a propositional modal term, then M � tx if and only if tseen as a propositional formula is deducible. To turn a propositional modal term
into a propositional formula, do the following:
1. Replace the dotted modal connectives with their propositional counterparts.
2. Replace the property variables with Boolean variables.
Proposition 9.4.2 Let t be a propositional modal term and s be a propositional
formula that corresponds to t. Then M � ∀t iff � s.
Proof Let x : B. It suffices to show M � tx iff � s. By the first-order translation
(Proposition 9.1.1) we obtain a first-order formula u such that M � tx iff � u.
The formula u is like s except that the Boolean variables appear as formulas px.
Hence � u follows from � s by Sub. The other direction follows by Sub and β-
reduction. The substitution θ is chosen such that θp = λx.b for every property
variable p occurring in t and the Boolean variable b corresponding to p. �
2008/7/14 141
9 Modal Logic
Exercise 9.4.3 For each of the following formulas s, show M � s with a tableau
proof.
a) ♦r � = �rp →♦rpb) ¬�rt = ♦r ¬tc) ∀(�r(p →q) →�rp →�rq)
9.5 Modal Completeness
We will prove a completeness result for formulas involving modal constants. The
result builds on the completeness result for PLN (Theorem 6.6.7). To show the
result, we need some notions and results that apply to simple type theory in
general.
9.5.1 Interderivability
Let S1, S2 be sequents. We write S1/S2 if the proof step ({S1}, S2) is derivable
in the basic proof system. Moreover, we write S1‖S2 and say that S1 and S2 are
interderivable if S1/S2 and S2/S1.
Proposition 9.5.1 Let S1/S2. Then:
1. If S1 is deducible, then S2 is deducible.
2. If S1 is valid, then S2 is valid.
Proof The first claim is obvious. The second claim holds since the basic proof
system is sound. �
Proposition 9.5.2 Here are some facts that we expressed before with proof rules.
The name Gen stands for generalization.
• Contra A � s ‖ A,¬s � ⊥• Ded A � s → t ‖ A, s � t• Gen A � ∀x.s ‖ A � s if x ∉NA
• Rep A, s � ⊥ ‖ A, t � ⊥ if A � s=t• Rep A � s ‖ A � t if A � s=t
Exercise 9.5.3 Prove Proposition 9.5.2.
9.5.2 Theories
A theory is a pair (S, F) such that S is a finite set of formulas and F is a set of
formulas. We see S as the specification of the theory and F as the formulas of
the theory. Here are examples of theories:
142 2008/7/14
9.5 Modal Completeness
• Propositional logic. Here S = � and F is the set of all propositional formulas.
• First-order logic. Here S = � and F is the set of all first-order formulas.
• Modal logic. Here S = M and F is the set of all modal formulas.
A theory (S, F) is complete if S,A � ⊥ �⇒ S,A � ⊥ for every finite A ⊆ F . A
theory (S, F) is decidable if S,A � ⊥ is dedcidable for finite A ⊆ F . We have
shown that propositional logic is complete and decidable. It is well-known that
first-order logic is complete (Gödel 1929) and undecidable (Church 1936). We
will show that modal logic is complete and decidable.
For a theory (S, F), we define the equivalence closure of F under S as follows:
[F]S := { s | ∃t ∈ F : S � s≡t }
The equivalence closure [F]S consists of all formulas that under S are deduc-
tively equivalent to a formula in F .
Proposition 9.5.4 Let (S, F) be a complete theory. Then (S, [F]S) is complete.
Proof Let A = {s1, . . . , sn} ⊆ [F]S and S,A � ⊥. We show S,A � ⊥. Let
{t1, . . . , tn} ⊆ F such that S � si=ti for all i. Then S, t1, . . . , tn � ⊥ by Rep.
Hence S, t1, . . . , tn � ⊥ by completeness of (S, F). Thus S,A � ⊥ by Rep. �
9.5.3 Pure First-Order Logic
A formula is called a pure first-order formula if it can be obtained with the
following grammar:
s ::= px . . .x | ⊥ | � | ¬s | s → s | s ∧ s | s ∨ s | s ≡ s | ∀x.s | ∃x.swhere x : I and p : I . . . IB are variables
Compared to general first-order formulas, there are three restrictions:
1. Only two sorts B and I.
2. No functional names f : I . . . II.
3. No equations t1 =I t2.
The terms p(fx) and x = y where x,y : I, f : II, and p : IB are examples of
first-order formulas that are not pure. One can show that pure first-order logic is
still undecidable, even if further restricted to a single predicate variable p : IIB(see [8]). We use PFO to denote the set of all pure first-order formulas.
Proposition 9.5.5 [PFO]M contains all modal formulas.
Proof The claim is a reformulation of Proposition 9.1.1. �
2008/7/14 143
9 Modal Logic
Recall the definition of PLN-formulas in § 6.6. Let PLN be the set of all
PLN-formulas. Clearly, every pure PLN-formula is a pure first-order formula.
However, the opposite is not true. For instance, PLN-formulas do not admit ⊥and →. Moreover, the definition of PLN doesn’t admit all individual names as
local names. Theorem 6.6.7 states that a subset of PLN that further restricts the
use of individual names is complete. We will now show that this completeness
result extends to pure first-order logic. We assume that every individual name is
in P ∪V (this is consistent with the definition of PLN).
Proposition 9.5.6 PFO ⊆ [PLN]�
Exercise 9.5.7 Show that the closure [PLN]� contains ⊥ and is closed under →.
Moreover, show that ∀x.s is in the closure if s is in the closure and x : I is an
individual name (possibly a parameter).
Proposition 9.5.8 (Renaming) Let s be a formula and θ and θ′ be substitutions
such that θ′(θs) = s. Then � θs ‖ � s.
Proof Follows with Sub. �
The proposition gives us the possibility to rename the free individual names
of a formula to those that are allowed by the subset of PLN for wich Theo-
rem 6.6.7 establishes completeness. If the renaming is invertible, it doesn’t af-
fect deducibility and validity. We thus know that (�, PLN) is complete. The rest
is easy, since every pure first-order formula is in the closure [PLN]�. Hence the
completeness of pure first-order logic follows with Proposition 9.5.4.
Theorem 9.5.9 (Completeness) Pure first-order logic is complete.
9.5.4 Defined Constants
The equational definition of constants can be expressed with a substitution that
maps the constants to their defining terms. We will only consider non-recursive
definitions. Hence we can require that the defined constants do not occur in the
defining terms. This property is equivalent to a property called idempotence.
A substitution θ is idempotent if θx = θ(θx) for all names x. We use [θ] to
denote the set of all equations x=θx such that x is a name and θx ≠ x. We call
a substitution θ finite if [θ] is a finite set of equations. Convince yourself that
the equations in Figure 9.1 yield a finite and idempotent substitution θ such that
[θ] = M. This substitution eliminates the modal constants when it is applied.
Proposition 9.5.10 (Defined Constants) Let θ be finite and idempotent. Then
A, [θ] � s ‖ θA � θs.
144 2008/7/14
9.6 Modal Refutability
Proof The direction from left to right follows with Sub if � θ[θ]. This is the case
since θ[θ] contains only trivial equations u=u since θ is idempotent. The other
direction follows with Rep since [θ] � θt=t for all terms t. �
Lemma 9.5.11 Let (S, F) be complete and θ be a finite and idempotent substitu-
tion such that θS = S, θF ⊆ [F]S , and θ⊥ = ⊥. Then (S ∪ [θ], F) is complete.
Proof Let S, [θ],A � ⊥ and A ⊆ F . We show S, [θ],A � ⊥. Since θS = S and
θ⊥ = ⊥, we have S, θA � ⊥ by Proposition 9.5.10. Since θA ⊆ θF ⊆ [F]S and Sis complete for [F]S (Proposition 9.5.4), we have S, θA � ⊥. Since θS = S and
θ⊥ = ⊥, we have S, [θ],A � ⊥ by Proposition 9.5.10. �
9.5.5 The Main Result
The main result of this section says that we are complete for formulas that can
be translated into pure first-order logic with the equations defining the modal
constants.
Theorem 9.5.12 (Modal Completeness) (M, [PFO]M) is complete.
Proof Let θ be the finite and idempotent substitution such that M = [θ]. By
Proposition 9.5.4 it suffices to show that (M, PFO) is complete. Let s ∈ PFO. By
Lemma 9.5.11 it suffices to show that θs ∈ [PFO]M. By checking the types of
the modal constants one sees that θ can only replace ⊥ and � in s. Moreover, ⊥and � can only occur as ⊥x and �x in s. Hence it suffices to show that (λx.⊥)xand (λx.�)x are deductively equivalent to pure first-order formulas. This is
obvious. �
Corollary 9.5.13 Modal logic is complete (i.e., the theory consisting of M and the
set of modal formulas).
Proof Follows from Theorem 9.5.12 and Proposition 9.5.5. �
9.6 Modal Refutability
Let A be a finite set of modal formulas. We say that A is modally refutable if
M, A � ⊥.
Proposition 9.6.1 A finite set of modal formulas is modally unsatisfiable if and
only if it is modally refutable.
Proof Follows with soundness and modal completeness (Corollary 9.5.13). �
2008/7/14 145
9 Modal Logic
Many modal decision problems can be reduced to modal refutability. The next
proposition states some of them.
Proposition 9.6.2 (Reduction to Modal Refutability)
1. M, A � tx ‖ A, (¬t)x,M � ⊥2. M, A � ∀t ‖ A, (¬t)x,M � ⊥ if x ∉NA∪N t
3. M, A � t1=t2 ‖ A, ¬(t1≡t2)x,M � ⊥ if x ∉NA∪N (t1≡t2)
Proof Follows with Proposition 9.5.2 and some of the deducible equations in
Figure 9.4. �
Note that the interderivabilities stated by Proposition 9.6.2 hold in general, that
is, A may contain non-modal formulas and t, t1, t2 may be non-modal terms of
type IB.
Later we will show that modal logic enjoys the finite model property: a finite
set of modal formulas is modally satisfiable if and only if it is satisfied by a
finite Kripke set. The next proposition states an interesting connection between
completeness and the finite model property.
Proposition 9.6.3 If modal logic has the finite model property, then modal
refutability is decidable.
Proof Let A range over finite sets of modal formulas. We know that M, A � ⊥is semi-decidable (since � is). Hence it suffices to show that M, A �� ⊥ is semi-
decidable. By modal completeness it suffices to show that M, A �� ⊥ is semi-
decidable. This is the case since the finite model property holds and the finite
Kripke sets are recursively enumerable. �
Exercise 9.6.4 Reduce the following problems to modal refutability (analogous
to Proposition 9.6.2). Prove the correctness of your reductions.
a) M, A � ¬txb) M, A � ¬∀tc) M, A � ∃td) M, A � t1≠t2 where t1, t2 : IB
e) M, A � ¬rxyf) M, A � ∀x. t1x → t2x
9.7 A Tableau System for Modal Formulas
We define negation normal modal terms as follows:
t ::= p | ¬p | t ∧ t | t ∨ t | �rt | ♦rt
146 2008/7/14
9.7 A Tableau System for Modal Formulas
A modal formula is negation normal if every modal terms it contains is negation
normal.
Proposition 9.7.1 For every modal term s there is a negation normal modal
term t such that M � s=t.
Exercise 9.7.2 Give a procedure that yields for every modal term an equivalent
negation normal term. Write the procedure as a system of terminating equations.
A set A of modal formulas is locally consistent if there is no formula tx such
that both tx and (¬t)x are in A.
Proposition 9.7.3 A locally inconsistent set of modal formulas is modally unsat-
isfiable.
Our goal is a terminating tableau system that for a finite set A of modal for-
mulas either constructs a finite Kripke set satisfying A or shows that A is modally
refutable. We will only consider negation normal modal formulas.
We can see the tableau system as a recursive procedure that attempts to
construct a satisfying Kripke set for a set of modal formulas. The procedure
emulates the equations defining the evaluation function for Kripke sets (see Fig-
ure 9.4). The equations tell us that a formula holds if certain smaller formulas
derived from it hold. The procedure adds the derived formulas to the set (called
the branch in tableau speak). If this saturation process terminates with a locally
consistent set, then the primitive formulas of this set constitute a satisfying
Kripke set for the initial set.
The outlined plan leads to the tableau system in Figure 9.6. The A in the side
conditions is the set of all formulas on the branch. All rules but R♦ are obvious
from the equations of the evaluation function. For R♦, the two side conditions
need explanation. The side condition y ∉NA is needed for falsification sound-
ness (see below) and is closely related to the freshness condition of the Exists
rule in Figure 6.15. The second side condition of R♦ is needed so that the rule
cannot be applied repeatedly to the same ♦-formula.
9.7.1 Falsification Soundness
A tableau system is falsification sound if the existence of a closed tableau for a
set A implies that A is unsatisfiable. For the falsification soundness of the modal
tableau system we have to show two conditions:
1. If R¬ applies to A, then A is modally unsatisfiable.
2. If a rule applies to A and adds formulas and A is modally satisfiable, then we
can obtain a modal interpretation that satisfies A and the added formulas. In
the case of R∨ only one of the two alternatives must satisfy this requirement.
2008/7/14 147
9 Modal Logic
R¬(¬p)x�
px ∈ A R∧(t1 ∧ t2)xt1x, t2x
R∨(t1 ∨ t2)xt1x | t2x
R∀∀ttx
x ∈ CA
R��rtx
tyrxy ∈ A R♦
♦rtx
rxy, tyy ∉NA ∧ ¬∃z : rxz, tz ∈ A
Figure 9.6: The basic modal tableau system TM
A,px, (¬p)x � ⊥A, t1x, t2x � ⊥A, (t1 ∧ t2)x � ⊥
A, t1x � ⊥ A, t2x � ⊥A, (t1 ∨ t2)x � ⊥
A, tx � ⊥A,∀t � ⊥
A, ty � ⊥A, rxy,�rtx � ⊥
A, rxy, ty � ⊥A,♦rtx � ⊥ y ∉NA∪N (♦rtx)
Proviso: All proof steps assume M ⊆ A.
Figure 9.7: Proof steps for the modal tableau rules
Make sure you understand why the rules in Figure 9.6 satisfy the two conditions
for falsification soundness, and why the two conditions yield falsification sound-
ness.
9.7.2 Refutation Soundness
A set A of formulas is refutable if the sequent A � ⊥ is deducible. A tableau
system is refutation sound if the existence of a closed tableau for a set A implies
that A is refutable. Note that a tableau system is falsification sound if it is
refutations sound. The best way to establish refutation soundness is to show
that the proof steps corresponding to the tableau rules are derivable. The proof
steps for the modal tableau rules are shown in Figure 9.7.
Proposition 9.7.4 The proof steps for the modal tableau rules are derivable.
Exercise 9.7.5 Show that the proof steps for ∨ and � are derivable.
Exercise 9.7.6 Extend the tableau rules to modal formulas that are not negation
normal. Give the corresponding proof steps.
148 2008/7/14
9.7 A Tableau System for Modal Formulas
Exercise 9.7.7 Refute the following sets with modal tableau proofs.
a) ♦r(q ∨ ¬q)x, �rpx, �r(¬p)xb) �r(q ∧ ¬q)x, (♦r(¬p) ∨♦rp)xc) (¬(♦r(q ∨ ¬q) ≡ �rp →♦rp))x
Exercise 9.7.8 Prove the validity of the following modal formulas by reduction
to modal refutability (Proposition 9.6.2) and modal tableaux.
a) ∀(�r(p ∧q) →�rp ∧�rq)b) ∀(♦rp ∨♦rq →♦r(p ∨q))c) ∀(♦r(p ∨q) →♦rp ∨♦rq)
9.7.3 Verification Soundness
Our tableau system is verification sound if every set of negation normal modal
formulas to which no tableau rule applies is modally satisfiable. We define a
class of sets that includes the sets just described. A set A of negation normal
modal formulas is evident if it satisfies the following conditions:
1. If (¬p)x ∈ A, then px ∉ A.
2. If (t1 ∧ t2)x ∈ A, then t1x ∈ A and t2x ∈ A.
3. If (t1 ∨ t2)x ∈ A, then t1x ∈ A or t2x ∈ A.
4. If ∀t ∈ A and x ∈ CA, then tx ∈ A.
5. If �rtx ∈ A and rxy ∈ A, then ty ∈ A.
6. If ♦rtx ∈ A, then there exists a y such that rxy ∈ A and ty ∈ A.
Proposition 9.7.9 Let A be a set of negation normal modal formulas to which no
rule of TM applies. Then A is evident.
Proof Straightforward. Check the definition and check the tableau rules. �
Proposition 9.7.10 (Model Existence) Let A be evident. Then the largest Kripke
set K ⊆ A satisfies A.
Proof Let K be the largest Kripke set such that K ⊆ A. We show by induction
on the size of formulas that K satisfies every formula s ∈ A. Let s ∈ A. Case
analysis.
If s is a primitive formula, the claim is trivial since s ∈ K.
If s = ¬t, then t is a primitive formula and t ∉ K. Hence Kt = 0 and Ks = 1.
If s = (t1 ∧ t2)x, then t1x and t2x are in A. By induction K(t1x) = K(t2x) = 1.
Hence Ks = 1.
2008/7/14 149
9 Modal Logic
If s = ♦rtx, then there exists a y such that rxy and ty are in A. By induction
we have K(ty) = 1. Since rxy ∈ K, we have Ks = 1.
The remaing cases are similiar. �
Exercise 9.7.11 Use the tableau rules to construct an evident set that contains
the modal formula ((♦rp ∧♦rq) ∧�r(¬p ∨ ¬q))x. Explain why the evident set
gives you a Kripke set that satisfies the formula.
9.8 Termination
A clause is a finite set of negation normal modal terms. A clause is ♦-free if it
doesn’t contain the modal constant ♦, and ∀-free if it doesn’t contain the logical
constant ∀. We write A→ C if A and C are clauses and C can be obtained from Aby a basic modal tableau rule different from R¬. We call a pair (A, C) such that
A → C an expansion step.
Example 9.8.1 Here is diverging TM-derivation starting from a satisfiable clause.
∀(♦rp) initial clause
♦rpx0 R∀
rx0y, py R♦
♦rpy R∀
ryz, pz R♦
. . .
The initial clause is satisfied by the Kripke set {rxx,px}. TM fails to construct
this set since it cannot introduce cyclic transitions rxx. �
The basic modal tableau system TM terminates for ∀-free clauses. Hence it
constitutes a decision procedure for the modal satisfiability of such clauses. If
we constrain R♦ with a further side condition, we obtain a system that termi-
nates for all clauses A. However, we have to rework the proof of verification
soundness since clauses to which no rule of the constrained system applies may
fail to be evident. It turns out that such clauses can always be completed to
evident clauses by adding formulas of the form rxy (so-called safe transitions).
The constrained tableau system thus constitutes a decision procedure for the
satisfiability of modal formulas. The termination of the constrained system also
implies that the basic system can refute every unsatisfiable set of modal formu-
las.
We prepare the termination proofs by defining the necessary terminology. A
term t occurs in A if it is a subterm of a formula in A. Let SubA be the set of all
150 2008/7/14
9.8 Termination
terms that occur in A, and ModA be the set of all modal terms that occur in A.
By definition, ModA ⊆ SubA. A crucial observation for the termination proofs is
the fact that the tableau rules don’t add new modal terms.
Proposition 9.8.2 If A → C , then ModA = ModC .
Exercise 9.8.3 Find A, C such that A→ C and SubC �⊆ SubA.
The height of a clause A is the size of the largest term that occurs in A. If
A → C , then A and C have the same height. In other words, expansion preserves
the height of clauses.
The breadth of a clause A is the number of elements of A (as a set). If A→ C ,
then the breadth of C is larger than the breadth of A. In other words, expansion
increases the breadth of clauses.
The vocabulary of a clause A is the set that contains the default variable x0
and all names that occur in A. If A → C , then the vocabulary of A is a subset of
the vocabulary of C . All rules butR♦ leave the vocabulary of a clause unchanged,
and R♦ adds a new individual variable.
The stock of a clause A consists of all negation normal modal formulas whose
size is at most the height of A and that contain only names that are in the vo-
cabulary of A. The stock of a clause is finite since the vocabulary of a clause is
finite. All rules but R♦ preserve the stock of a clause.
The slack of a clause A is the number of formulas in the stock of A that are
not in A. Every rule but R♦ decreases the slack of a clause. Hence we know that
an infinite derivation must employ R♦.
Proposition 9.8.4 TM terminates for ♦-free clauses.
9.8.1 Termination for ∀-Free Clauses
For this result we look carefully at the new individual variables introduced byR♦.
We call a formula ♦rtx expanded in a clause A if there is a y sucht that
rxy, ty ∈ A. Note that R♦ can only be applied to unexpanded ♦-formulas,
and that R♦ always expands the ♦-formula it is applied to.
Let’s write x ≺ y if y was introduced by R♦ to expand some formula ♦rtx.
If we draw the dependency relation x ≺ y of a clause as a graph, we obtain a
forest where the roots are initial names (i.e., names not introduced by R♦) and
all other nodes are names introduced by R♦. We obtain termination by showing
that the depth and the degree (maximal number of successors of a node) of the
dependency graph of a derived clause are bounded by the initial clause. We call
a clause A admissible if it satisfies the following two conditions:
2008/7/14 151
9 Modal Logic
1. If x ≺ y and ty ∈ A, then there is some formula sx ∈ A such that the term sis larger than the term t.
2. If x ∈NA, then |{y ∈NA | x ≺ y }| ≤|{♦rt | ♦rtx ∈ A and ♦rtx expanded in A }| ≤ |ModA|
Proposition 9.8.5 Every initial clause is admissible. Morover, if A is admissible
and A→ C , then C is admissible.
Proposition 9.8.6 Let A be an initial clause, A →∗ C , and ≺ be the dependency
relation of C . Then:
1. The depth of ≺ is bounded by the height of A.
2. The degree of ≺ is bounded by |ModA|.
Proof Follows by Proposition 9.8.5, Proposition 9.8.2, and the definition of ad-
missibility. �
Proposition 9.8.7 TM terminates for ∀-free clauses.
Proof By Proposition 9.8.6 we know that R♦ can only be applied finitely often.
Once R♦ is not applied anymore, the remaining rules all decrease the slack of
the clause and hence must terminate. �
Note that our termination proof relies on an informal notion of dependency
relation. The dependency relation of a clause can be made formal. For this, we
fix the set of initial variables and then obtain the the dependency relation of Aas { (x,y) | ∃r : rxy ∈ A and y not initial }.
9.8.2 Termination with Rp♦
WithR♦ the dependency relation of a derived clause will always be acyclic. Hence
TM will diverge on satisfiable clauses that cannot be satisfied by a finite and acylic
Kripke set. Example 9.8.1 tells us that such clauses exist. We will now consider
a restricted version Rp♦ of R♦ such that the tableau system that uses Rp
♦ instead
of R♦ terminates. The restricted sytem may terminate with locally consistent
clauses that are not evident. As it turns out, such clauses can always be com-
pleted to evident clauses by adding formulas of the form rxy . The additional
formulas introduce the cycles needed to obtain a finite Kripke model.
A pattern is a set {♦rt,�rt1, . . . ,�rtn} of modal terms such that n ≥ 0.
A pattern {♦rt,�rt1, . . . ,�rtn} is realized in A if there are names x, y such
that the formulas rxy , ty , and �rt1x, . . . ,�rtnx are in A. A formula ♦rtx is
pattern-expanded in a clause A if the pattern {♦rt} ∪ {�ru | �rux ∈ A } is
realized in A.
152 2008/7/14
9.8 Termination
Proposition 9.8.8 If a diamond formula is expanded in A, then it is pattern-
expanded in A.
We can now define the constrained tableau rule for diamond formulas:
Rp♦
♦rtx
rxy, tyy ∉NA and ♦rtx not pattern-expanded in A
We denote the resulting tableau system with T pM .
Proposition 9.8.9 T pM terminates and is refutation sound.
Proof Since ModA is invariant and finite, only finitely many patterns can be
obtained with the modal terms of A. Once a pattern is realized, it stays real-
ized. Every application of Rp♦ realizes a pattern that was not realized before.
Hence Rp♦ can only be applied finitely often. Since the remaining rules decrease
the slack, T pM terminates.
Since all proof steps licensed by Rp♦ are also licensed by the more permis-
sive R♦, we know that every T pM -tableau is also a TM-tableau. Hence T p
M is refu-
tation sound. �
Example 9.8.10 Here is terminating T pM -derivation starting from the satisfiable
clause of Example 9.8.1.
∀(♦rp) initial clause
♦rpx0 R∀
rx0y, py Rp♦
♦rpy R∀
Rp♦ does not apply to ♦rpy since it is pattern-expanded. Note that the obtained
clause is not evident. �
It remains to show that T pM is verification sound. We call formulas of the form
rxy transitions. A transition rxy is safe in A if rxy ∈ A or ∀t : �rtx ∈ A �⇒ty ∈ A. A formula ♦rtx is quasi-expanded in a clause A if there exist y such
that rxy is safe in A and ty ∈ A. A set A of negation normal modal formulas is
quasi-evident if it satisfies all conditions for evidence except that for diamond
formulas s ∈ A it suffices that s is quasi-expanded in A (for evidence expansion
is required). Note that the final clause of Example 9.8.10 is quasi-evident.
Proposition 9.8.11 Let A be a set of negation normal modal formulas to which
no rule of T pM applies. Then A is quasi-evident.
2008/7/14 153
9 Modal Logic
It remains to show that every quasi-evident set is satisfied by a finite Kripke set.
Proposition 9.8.12
1. If a diamond formula is expanded in A, it is also quasi-expanded in A.
2. If A is evident, A is also quasi-evident.
3. If A is quasi-evident and rxy is safe in A, then A∪ {rxy} is quasi-evident.
Lemma 9.8.13 Let A be quasi-evident and R be the set of all transitions s such
that s is safe in A and N s ⊆NA. Then A∪ R is evident.
Proof Since A is quasi-evident, A satisfies all evidence conditions but possi-
bly (6). Adding the safe transitions does not affect the evidence conditions (1)
to (4). Moreover, since the added transitions are safe, evidence condition (5) re-
mains to hold. It remains to show that every diamond formula in A is expanded
in A∪ R.
Let ♦rtx ∈ A. Since ♦rtx is quasi-expanded in A, there is a transition rxysuch that rxy is safe in A and ty ∈ A. Thus rxy ∈ R. Hence ♦rtx is expanded
in A. �
Example 9.8.14 A = {∀(♦rp), ♦rpx, rxy, py, ♦rpy} is a quasi-evident
clause. Since A contains no box formulas, rxx, rxy , ryy , and ryx are all
safe in A. Adding ryy to A yields an evident clause. �
Theorem 9.8.15 (Model Existence) Let A be a quasi-evident clause. Then there
exists a finite Kripke set that satisfies A.
Proof By Lemma 9.8.13 and Proposition 9.7.10. The finiteness of the Kripke set
follows from the finiteness of A since there are only finitely many transitions ssuch that N s ⊆NA. �
Corollary 9.8.16 T pM is verification sound.
Proof Theorem 9.8.15 and Proposition 9.8.11. �
Theorem 9.8.17 (Decidability) It is decidable whether a finite set of modal for-
mulas is modally satisfiable.
Proof First we obtain an equivalent clause A by translating to negation normal
form (Proposition 9.7.1). Now we apply T pM to A. The claim follows since T p
M
is terminating, refutation sound, and verification sound (Proposition 9.8.9 and
Corollary 9.8.16). �
154 2008/7/14
9.9 Remarks
Theorem 9.8.18 (Finite Model Property) A finite set of modal formulas is
modally satisfiable if and only if it is satisfied by a finite Kripke set.
Proof First we obtain an equivalent clause A by translating to negation normal
form (Proposition 9.7.1). Now we apply T pM to A. The set is modally satisfiable if
and only T pM yields a quasi-evident clause C such that A ⊆ C (follows by Propo-
sition 9.8.9 and Proposition 9.8.11). Now the claim follows by Theorem 9.8.15. �
9.9 Remarks
To know more about modal logic, start with [6] and [24].
2008/7/14 155
9 Modal Logic
156 2008/7/14
Tautologies
Boolean Connectives
x ∧ (y ∧ z) = (x ∧y)∧ z associativity
x ∨ (y ∨ z) = (x ∨y)∨ zx ∧y = y ∧ x commutativity
x ∨y = y ∨ xx ∧ x = x idempotence
x ∨ x = xx ∧ (y ∨ z) = (x ∧y)∨ (x ∧ z) distributivity
x ∨ (y ∧ z) = (x ∨y)∧ (x ∨ z)x ∧ (x ∨y) = x absorption
x ∨ (x ∧y) = xx ∧� = x identity
x ∨⊥ = xx ∧⊥ = ⊥ dominance
x ∨� = �x ∧¬x = ⊥ complement
x ∨¬x = �¬(x ∧y) = ¬x ∨¬y de Morgan
¬(x ∨y) = ¬x ∧¬y¬� = ⊥¬⊥ = �¬¬x = x double negation
(x ∨y) ∧ (¬x ∨ z) = (x ∨y)∧ (¬x ∨ z)∧ (y ∨ z) resolution
(x ∧y) ∨ (¬x ∧ z) = (x ∧y)∨ (¬x ∧ z)∨ (y ∧ z)
Implication
Identity
157
Tautologies
158 2008/7/14
Bibliography
[1] P. B. Andrews. An Introduction to Mathematical Logic and Type Theory: To
Truth Through Proof, volume 27 of Applied Logic Series. Kluwer Academic
Publishers, second edition, 2002.
[2] Brian Aydemir, Arthur Charguéraud, Benjamin C. Pierce, Randy Pollack, and
Stephanie Weirich. Engineering formal metatheory. In POPL ’08: Proceed-
ings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of
programming languages, pages 3–15. ACM, 2008.
[3] F. Baader and T. Nipkow. Term Rewriting and All That. Cambridge Univer-
sity Press, 1998.
[4] Franz Baader, Diego Calvanese, Deborah L. McGuinness, Daniele Nardi, and
Peter F. Patel-Schneider, editors. The Description Logic Handbook: Theory,
Implementation, and Applications. Cambridge University Press, 2007.
[5] Henk P. Barendregt. The Lambda Calculus: Its Syntax and Semantics, volume
103 of Studies in Logic and the Foundations of Mathematics. North-Holland,
2nd revised edition, 1984.
[6] Patrick Blackburn, Maarten de Rijke, and Yde Venema. Modal Logic. Cam-
bridge University Press, 2001.
[7] George Boole. An Investigation of the Laws of Thought. Walton, London,
1847.
[8] Egon Börger, Erich Grädel, and Yuri Gurevich. The Classical Decision Prob-
lem. Springer, 1997.
[9] Alonzo Church. A set of postulates for the foundation of logic. Annals of
Mathematics, 32:346–366, 1932.
[10] Alonzo Church. A formulation of the simple theory of types. J. Symb. Log.,
5(1):56–68, 1940.
[11] Alonzo Church. The Calculi of Lambda-Conversion. Princeton University
Press, 1941.
159
Bibliography
[12] Nicolas G. de Bruijn. Lambda-calculus notation with nameless dummies: a
tool for automatic formula manipulation with application to the Church-
Rosser theorem. Indag. Math., 34(5):381–392, 1972.
[13] Gottlob Frege. Begriffsschrift, eine der arithmetischen nachgebildete Formel-
sprache des reinen Denkens. Verlag von Luois Nebert, Halle, 1879. Trans-
lated in [40], pp. 1–82.
[14] Gottlob Frege. Grundgesetze der Arithmetik begriffsschriftlich abgeleitet.
Verlag Hermann Pohle, Jena, 1893. Translated in [40].
[15] H. Friedman. Equality between functionals. In R. Parikh, editor, Proceedings
of the Logic Colloquium 72-73, volume 453 of Lecture Notes in Mathematics,
pages 22–37. Springer, 1975.
[16] Gerhard Gentzen. Untersuchungen über das natürliche Schließen I, II. Math-
ematische Zeitschrift, 39:176–210, 405–431, 1935.
[17] Jean-Yves Girard, Paul Taylor, and Yves Lafont. Proofs and types. Cambridge
University Press, 1989.
[18] Kurt Gödel. Die Vollständigkeit der Axiome des logischen Functio-
nenkalküls. Monatshefte für Mathematik und Physik, 37:349–360, 1930.
Translated in [40], pp. 102-123.
[19] John Harrison. HOL Light tutorial (for version 2.20).
http://www.cl.cam.ac.uk/~jrh13/hol-light/tutorial_220.pdf, 2006.
[20] L. Henkin. Completeness in the theory of types. Journal of Symbolic Logic,
15(2):81–91, June 1950.
[21] L. Henkin. A theory of propositional types. Fundamenta Mathematicae,
52:323–344, 1963.
[22] J. R. Hindley. Basic Simple Type Theory, volume 42 of Cambridge Tracts in
Theoretical Computer Science. Cambridge University Press, 1997.
[23] Michael Huth and Mark Ryan. Logic in Computer Science. Cambridge, second
edition, 2004.
[24] Mark Kaminski and Gert Smolka. Terminating tableau systems for
modal logic with equality. Technical report, Saarland University, 2008.
http://www.ps.uni-sb.de/Papers/abstracts/KaminskiSmolka08equality.pdf.
[25] Jean-Louis Krivine. Introduction to Axiomatic Set Theory. Reidel, Dordrecht,
Holland, 1971.
160 2008/7/14
Bibliography
[26] Azriel Levy. Basic Set Theory. Springer, Berlin - New York, 1979.
[27] Daniel R. Licata, Noam Zeilberger, and Robert Harper. Focusing on binding
and computation. In LICS. IEEE, 2008.
[28] J. C. Mitchell. Foundations for Programming Languages. Foundations of
Computing. The MIT Press, 1996.
[29] T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL — A Proof Assistant
for Higher-Order Logic, volume 2283 of LNCS. Springer, 2002.
[30] G. Peano. Arithmetices principia, nova methodo exposita. Turin, 1889.
Translated in [40], pp. 83–97.
[31] B. C. Pierce. Types and Programming Languages. The MIT Press, 2002.
[32] G. D. Plotkin. Lambda-definability in the full type hierarchy. In J. R. Hind-
ley and J. P. Seldin, editors, To H. B. Curry: Essays on Combinatory Logic,
Lambda Calculus and Formalism, pages 365–373. Academic Press, 1980.
[33] Randal E. Bryant. Graph-Based Algorithms for Boolean Function Manipula-
tion. IEEE Transactions on Computers, C-35(8):677–691, August 1986.
[34] Bertrand Russell. Mathematical logic as based on the theory of types. Amer-
ican Journal of Mathematics, 30:222–262, 1908.
[35] Moses Schönfinkel. Über die Bausteine der Mathematischen Logik. Mathe-
matische Annalen, 92:305–316, 1924.
[36] Allen Stoughton. Substitution revisited. Theoretical Computer Science,
59:317–325, 1988. http://people.cis.ksu.edu/~stough/research/subst.ps.
[37] W. Tait. Intensional interpretations of functionals of finite type I. Journal of
Symbolic Logic, 32(2):198–212, 1967.
[38] A.S. Troelstra and H. Schwichtenberg. Basic Proof Theory. Cambridge Uni-
versity Press, second edition, 2000.
[39] Christian Urban, Stefan Berghofer, and Michael Norrish. Barendregt’s vari-
able convention in rule inductions. In CADE, volume 4603 of Lecture Notes
in Computer Science, pages 35–50. Springer, 2007.
[40] J. van Heijenoort, editor. From Frege to Gödel: A Source Book in Mathemati-
cal Logic, 1879–1931. Source Books in the History of the Sciences. Harvard
University Press, 2002.
2008/7/14 161
Bibliography
[41] Edward N. Zalta, editor. Stanford Encyclopedia of Philosophy. Metaphysics
Research Lab, CSLI, Stanford University, 2008. http://plato.stanford.edu/.
162 2008/7/14